Getting Data In

Why is windows log going to the wrong sourcetype?

So76
Explorer

Logs are going to source= WinEventLog:Application and sourcetype="WinEventLog" instead of source="WinEventLog:Security" sourcetype="WinEventLog:Security"

Ran this search

index=*** sourcetype="*wineventlog*" rha***s-wds EventCode=517 signature="The audit log was cleared"

Labels (1)
Tags (2)
0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@So76  - Can you please share the following information?

  • Splunk version
  • inputs.conf contains that is collecting the logs
  • Do you have any parsing stage dynamic metadata changing attributes?
    • Search for "MetaData:Sourcetype" in transforms.conf on your indexers and heavy forwarders.
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Also you should told if you are using Splunk_TA_windows (also version) or have you just created those configurations by yourself? 

If you are using it have you installed it on all needed layers (UF - HF/IDX - SH) or only in some?

r. Ismo

0 Karma

So76
Explorer

Below is the config in TA_windows. No props or transforms. I did not configure it

[WinEventLog://Application]
disabled=0
index=*****

[WinEventLog://Security]
disabled=0
index=rhr_windows
blacklist=4674,5156

[WinEventLog://System]
disabled=0
index=*****

[WinEventLog://Microsoft-Windows-AppLocker/EXE and DLL]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index=*****
renderXml=false

[WinEventLog://Microsoft-Windows-AppLocker/MSI and Script]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index=*****
renderXml=false

[WinEventLog://Microsoft-Windows-AppLocker/Packaged app-Deployment]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index=*****
renderXml=false

[WinEventLog://Microsoft-Windows-AppLocker/Packaged app-Execution]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index=*****

0 Karma

So76
Explorer

Splunk Version 8.2 but HF is on 8.1.5

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Your configuration seems okay. I personally have not heard of any bug reported for Splunk that generates data in wrong sourcetypes.

You are also using the recent version of Splunk so that is even less likely to have that issue.

If you are sure that there are no props.conf or transforms.conf stanzas added/updated related to this data then you can contact Splunk support.

0 Karma

So76
Explorer

Will contact splunk support

0 Karma

isoutamo
SplunkTrust
SplunkTrust

One thing what you should still do is check those with btool on your HF (/UF). 

# For inputs on source system HF or was it UF?
splunk btool inputs list <stanza name here> --debug
# And for sourcetypes on your HF
splunk btool props list <sourcetype name here> --debug

That shows if there still is some other config files which overrides those settings. 

r. Ismo 

0 Karma

So76
Explorer

Will run btool as suggested. Will get back to you

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...