Getting Data In
Highlighted

Why are we receiving all Windows event log data except security logs from our domain controller?

New Member

Hi,

Having issues in not seeing our security logs from our DC. Here is our code:

[WinEventLog://Security]
disabled = 0
start_from = oldset
current_only = 0
checkpointInterval = 5

This inputs file is located under here with all the other code:
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkTAwindows\local

We are receiving Application, system, etc. but no security logs.

Also, we ran the following command splunk btool inputs list and see the following blacklist show up ..

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"

but we still are not receiving any security logs for our DC, but are receiving everything else. Can anyone shed some light into this?

0 Karma
Highlighted

Re: Why are we receiving all Windows event log data except security logs from our domain controller?

New Member

In addition, version is 6.2.2 and the DC is windows server 2008 R2 (and we are trying as well on Windows Server 2012 R2) but same results.

0 Karma
Highlighted

Re: Why are we receiving all Windows event log data except security logs from our domain controller?

New Member

Also, just removed UAC from the server 2012 R2 and able to see more sourcetype (was at 3 and now 5) but still no security event logs.... only Application, System, Directory Service, DNS Server, DNS Replication

0 Karma
Highlighted

Re: Why are we receiving all Windows event log data except security logs from our domain controller?

New Member

We have this problem too. Member servers forward their Security log just fine. It does not work on Domain Controllers.,We have the same (or similar) problem. Member servers forward their Security Event Log events just fine. Domain Controllers do not.

0 Karma
Highlighted

Re: Why are we receiving all Windows event log data except security logs from our domain controller?

New Member

Because we run Splunk on our DCs w/a service account to be able to collect other AD related data, we had to add permissions to allow access to the security logs (since we didn't make the service account a domain admin). Maybe this will help you:

For us, we used a policy assigned to our domain controllers: Group Policy - Computer Policy> Windows Settings> Security Settings> Local Policies > User Rights Assignment:

Setting: Manage auditing and security log

0 Karma
Highlighted

Re: Why are we receiving all Windows event log data except security logs from our domain controller?

SplunkTrust
SplunkTrust

Simply add your Splunk user to the local built-in "Event Log Readers" group in all your domain controllers and that will grant them access to the local event logs in those servers. You can populate this via GPO too.

0 Karma
Highlighted

Re: Why are we receiving all Windows event log data except security logs from our domain controller?

Path Finder

Hello,

someone resolved this issue?

Thanks

0 Karma