Getting Data In

Why splunk forwarder not send the same data from WinEventLog:Security

TheGU
Path Finder

This is what I get from universal forwarder :

Message=Security Enabled Global Group Member Removed:  
    Member Name:    -  
    Member ID:  %{S-1-5-21-1659004503-813497703-682003330-1006}  
    Target Account Name:    None  
    Target Domain:  TEST-4  
    Target Account ID:  %{S-1-5-21-1659004503-813497703-682003330-513}  
    Caller User Name:   test  
    Caller Domain:  TEST-4  
    Caller Logon ID:    (0x0,0x111E1)  
    Privileges: -  

This is a same event but see in Event Viewer :

Description:  
Security Enabled Local Group Member Removed:  
    Member Name:    -  
    Member ID:  TEST-4\temp1  
    Target Account Name:    Administrators  
    Target Domain:  Builtin  
    Target Account ID:  BUILTIN\Administrators  
    Caller User Name:   test  
    Caller Domain:  TEST-4  
    Caller Logon ID:    (0x0,0x111E1)  
    Privileges: -  

You will see that some fields are different e.g. Member ID, Target Account Name,Target Domain,Target Account ID.
How can I config splunk forwarder to get the same data as I see in event viewer?

Why forwarder change data before send to indexer?

0 Karma

Drainy
Champion

They look to me like different events. The forwarder doesn't change any of the data that I have seen.
In your first paste that looks like an event log generated for an object that has been deleted and the reference to still exists, windows uses those strings (object references) in place of object names when they no longer exist.
Your second event paste explicitly says it is related to the builtin admin account but the first one doesn't have a target account name which would suggest to me that they are different events.

Could you double check that you have matched them correctly?

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...