Getting Data In

Why is Splunk Triggering Windows Event 6417?

sd1200
New Member

Greetings,

I'm running Splunk Enterprise on a Windows Server (requirement driven). The Windows Server & Splunk have FIPS Mode Enabled (another requirement). 

The Splunk Process (splunkd.exe) is causing the windows server to generate an excessive number of 6417 events (The FIPS mode crypto selftests succeeded) in the local Windows Security Log, creating excessive noise in the logs (4,500/hr) and eating up HDD space.

Any indication why and/or steps I can take to limit beyond turning off FIPS?

Labels (1)
Tags (2)
0 Karma

shivanshu1593
Builder

If you are looking at not ingesting the EventCode 6417 in Splunk, you can always blacklist it in inputs.conf.  In terms of doing something in the event viewer or server level, it is out of scope for Splunk. You can always try out of the box ideas like but not limited to looking at creating exclusion filters or develop a powershell script and have it run every 30 minutes to rotate the .evtx files, granted you have stored/ingested them somewhere like Splunk.

++If this helps, please consider accepting as an answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

sd1200
New Member

Thank you for the info/reply and suggestions on mitigations. 

I understand there are some workarounds to minimize the impact of this issue, but it seems like there is a configuration issue or bug with Splunk that it is triggering an exorbitant amount of 6417 Events. There are no other systems on my network generating even a fraction of that number of events.

I would like to solve the issue with the Splunk application (or associated configurations) if possible, but I also understand this is somewhat of an edge case.  

Thank you again

 

0 Karma

shivanshu1593
Builder

Splunk enterprise uses cryptographic functions for many operations rigorously, so firing of these events seems to be an expected activity as you have the FIPS mode crypto selftests turned on. Do you have more Splunk servers which are exhibiting this behavior? I'd recommend filing support case with Splunk and providing the diag of the server where Splunk is installed but pretty sure they'll tell you the same thing. 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...