Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are my Windows Event Logs not being forwarded properly with an intermediate forwarder?

cchitten
Path Finder
‎02-23-2015 06:28 AM

I am using an intermediary server (server 2) to collect forwarded logs from many servers (server 3,4,5,etc) and then I use a Splunk forwarder on there to forward those events to my full splunk instance server (server 1).

However, my events are not being forwarded properly. On server 2 they look like this:

   [ Name]  Microsoft-Windows-Security-Auditing 
   [ Guid]  {*****************} 
   EventID 4769 
   Version 0 
   Level 0 
   Task 14337 
   Opcode 0 
   Keywords 0x6020000000000000 
  - TimeCreated
   [ SystemTime]  2015-02-23T14:17:22.10657400Z 
   EventRecordID 705673 
   Correlation 
  - Execution
   [ ProcessID]  568 
   [ ThreadID]  5524 
   Channel Security 
   Computer ****************
   Security 

  TargetUserName *********
  TargetDomainName ************
  ServiceName *********
  ServiceSid *********
  TicketOptions 0x40810345
  TicketEncryptionType 0x13
  IpAddress ***********
  IpPort ******** 
  Status 0x0 
  LogonGuid {************} 
  TransmittedServices - 

   [ Culture]  en-US 
   Message [*long message here*]
   Task Kerberos Service Ticket Operations 
   Opcode Info 
   Channel Security 
   Provider Microsoft Windows security auditing. 

   Keyword Audit Success

But in splunk it just appears as this:

02/23/2015 02:08:40 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4769
EventType=0
Type=Microsoft Windows security auditing.
ComputerName=************
TaskCategory=Microsoft Windows security auditing.
OpCode=Microsoft Windows security auditing.
RecordNumber=705673
Keywords=Microsoft Windows security auditing.
Message=Microsoft Windows security auditing.

What could be happening in between that is affecting my event details?

0 Karma
Reply

lmyrefelt
Builder
‎02-24-2015 12:10 AM

I have had the setup " a long time ago" .. and it work without this kind of problems at least ... have you done some changes on the windows collector side as how to process or maybe write/ save the events down on disk again ?Xml versus text or something ..

0 Karma
Reply

cchitten
Path Finder
‎02-24-2015 12:36 AM

No. Just simply installed the splunk_TA_windows app onto my forwarder and that is what i got through.

0 Karma
Reply

lmyrefelt
Builder
‎02-24-2015 12:39 AM

aaah yeah, but you need to some configuration on the windows side to have another windows server act as a "event log receiver" . This is were some of the things might get screwed up "already"

0 Karma
Reply

cchitten
Path Finder
‎02-24-2015 01:12 AM

It is a linux server that is acting as the receiver though.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...