Having issues in not seeing our security logs from our DC. Here is our code:
[WinEventLog://Security] disabled = 0 start_from = oldset current_only = 0 checkpointInterval = 5
This inputs file is located under here with all the other code:
We are receiving Application, system, etc. but no security logs.
Also, we ran the following command splunk btool inputs list and see the following blacklist show up ..
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
but we still are not receiving any security logs for our DC, but are receiving everything else. Can anyone shed some light into this?
In addition, version is 6.2.2 and the DC is windows server 2008 R2 (and we are trying as well on Windows Server 2012 R2) but same results.
Also, just removed UAC from the server 2012 R2 and able to see more sourcetype (was at 3 and now 5) but still no security event logs.... only Application, System, Directory Service, DNS Server, DNS Replication
We have this problem too. Member servers forward their Security log just fine. It does not work on Domain Controllers.,We have the same (or similar) problem. Member servers forward their Security Event Log events just fine. Domain Controllers do not.
Because we run Splunk on our DCs w/a service account to be able to collect other AD related data, we had to add permissions to allow access to the security logs (since we didn't make the service account a domain admin). Maybe this will help you:
For us, we used a policy assigned to our domain controllers: Group Policy - Computer Policy> Windows Settings> Security Settings> Local Policies > User Rights Assignment:
Setting: Manage auditing and security log
Simply add your Splunk user to the local built-in "Event Log Readers" group in all your domain controllers and that will grant them access to the local event logs in those servers. You can populate this via GPO too.