Getting Data In
Highlighted

Why am I getting duplicate Windows event log entries for the same record, but different hosts, sources and sourcetypes?

Path Finder

I get two entries in splunk for the same record (RecordNumber=10993503). One with host name as FQDN and source type as follows:

host = DC1.domain.name
source = WMI:WinEventLog:System 
sourcetype = WMI:WinEventLog:System 

The other has the following without the FQDN and WMI:

host = DC1 
source = WinEventLog:System 
sourcetype = WinEventLog:System 

Does anyone know how this is happening?

Thanks
Tom


2/23/15 
2:44:57.000 PM    

20150223144457.000000
Category=0
CategoryString=NULL
EventCode=5805
EventIdentifier=5805
EventType=1
Logfile=System
RecordNumber=10993503
SourceName=NETLOGON
TimeGenerated=20150223194457.000000-000
TimeWritten=20150223194457.000000-000
Type=Error
User=NULL
ComputerName=DC1.domain.name
wmi_type=WinEventLog:System
Message=The session setup from the computer BOBCAT-8 failed to authenticate. The following error occurred: 
Access is denied.


Collapse
host = DC1.domain.name
source = WMI:WinEventLog:System 
sourcetype = WMI:WinEventLog:System 

›  2/23/15 
2:44:57.000 PM    

02/23/2015 02:44:57 PM
LogName=System
SourceName=NETLOGON
EventCode=5805
EventType=2
Type=Error
ComputerName=DC1.domain.name
TaskCategory=The operation completed successfully.
OpCode=Info
RecordNumber=10993503
Keywords=Classic
Message=The session setup from the computer BOBCAT-8 failed to authenticate. The following error occurred: 
Access is denied.
Collapse
host = DC1 
source = WinEventLog:System 
sourcetype = WinEventLog:System 
0 Karma
Highlighted

Re: Why am I getting duplicate Windows event log entries for the same record, but different hosts, sources and sourcetypes?

Splunk Employee
Splunk Employee

Are you sure you only have one inputs.conf entry that pulls System event logs?
If you go to event viewer on the source host, do you just see a single event being logged?

0 Karma
Highlighted

Re: Why am I getting duplicate Windows event log entries for the same record, but different hosts, sources and sourcetypes?

Engager

found that Snare was also installed and posting to Splunk. That is why one was a sourcetype=WMI:WinEventLog:System and the other was not (just WinEventLog:System)

View solution in original post

0 Karma
Highlighted

Re: Why am I getting duplicate Windows event log entries for the same record, but different hosts, sources and sourcetypes?

Community Manager
Community Manager

Hi @fcuisit

Are you also the user who posted this question, just using a different account?

0 Karma
Highlighted

Re: Why am I getting duplicate Windows event log entries for the same record, but different hosts, sources and sourcetypes?

Engager

Oh yeah didn't realize it.

0 Karma