Getting Data In

Why splunk forwarder not send the same data from WinEventLog:Security

Path Finder

This is what I get from universal forwarder :

Message=Security Enabled Global Group Member Removed:  
    Member Name:    -  
    Member ID:  %{S-1-5-21-1659004503-813497703-682003330-1006}  
    Target Account Name:    None  
    Target Domain:  TEST-4  
    Target Account ID:  %{S-1-5-21-1659004503-813497703-682003330-513}  
    Caller User Name:   test  
    Caller Domain:  TEST-4  
    Caller Logon ID:    (0x0,0x111E1)  
    Privileges: -  

This is a same event but see in Event Viewer :

Description:  
Security Enabled Local Group Member Removed:  
    Member Name:    -  
    Member ID:  TEST-4\temp1  
    Target Account Name:    Administrators  
    Target Domain:  Builtin  
    Target Account ID:  BUILTIN\Administrators  
    Caller User Name:   test  
    Caller Domain:  TEST-4  
    Caller Logon ID:    (0x0,0x111E1)  
    Privileges: -  

You will see that some fields are different e.g. Member ID, Target Account Name,Target Domain,Target Account ID.
How can I config splunk forwarder to get the same data as I see in event viewer?

Why forwarder change data before send to indexer?

0 Karma

Champion

They look to me like different events. The forwarder doesn't change any of the data that I have seen.
In your first paste that looks like an event log generated for an object that has been deleted and the reference to still exists, windows uses those strings (object references) in place of object names when they no longer exist.
Your second event paste explicitly says it is related to the builtin admin account but the first one doesn't have a target account name which would suggest to me that they are different events.

Could you double check that you have matched them correctly?

0 Karma