Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why are we receiving all Windows event log data ex...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are we receiving all Windows event log data except security logs from our domain controller?
Hi,
Having issues in not seeing our security logs from our DC. Here is our code:
[WinEventLog://Security]
disabled = 0
start_from = oldset
current_only = 0
checkpointInterval = 5
This inputs file is located under here with all the other code:
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local
We are receiving Application, system, etc. but no security logs.
Also, we ran the following command splunk btool inputs list and see the following blacklist show up ..
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
but we still are not receiving any security logs for our DC, but are receiving everything else. Can anyone shed some light into this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
someone resolved this issue?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Simply add your Splunk user to the local built-in "Event Log Readers" group in all your domain controllers and that will grant them access to the local event logs in those servers. You can populate this via GPO too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Because we run Splunk on our DCs w/a service account to be able to collect other AD related data, we had to add permissions to allow access to the security logs (since we didn't make the service account a domain admin). Maybe this will help you:
For us, we used a policy assigned to our domain controllers: Group Policy - Computer Policy> Windows Settings> Security Settings> Local Policies > User Rights Assignment:
Setting: Manage auditing and security log
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have this problem too. Member servers forward their Security log just fine. It does not work on Domain Controllers.,We have the same (or similar) problem. Member servers forward their Security Event Log events just fine. Domain Controllers do not.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, just removed UAC from the server 2012 R2 and able to see more sourcetype (was at 3 and now 5) but still no security event logs.... only Application, System, Directory Service, DNS Server, DNS Replication
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In addition, version is 6.2.2 and the DC is windows server 2008 R2 (and we are trying as well on Windows Server 2012 R2) but same results.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
Data Management Digest – May 2026
