Getting Data In

Windows events: Why no data in the "Message" field?

Communicator

I have a heavy forwarder on a win2008R2 server. Windows security logs are being written to a file on that forwarder and then forwarded to Splunk enterprise instance. The problem I am having is that there is no information or data appearing in the "Message=" part of the event. Can anyone tell me why I am not getting this data and how I can fix it?
I have looked at the Windows logs on the forwarder and the "Message" information is there, but not showing in Splunk searches. Here is a sample of a Windows event as it shows in a Splunk search:

09/23/2014 10:32:21 AM

LogName=Security

SourceName=Microsoft Windows security auditing.

EventCode=4740

EventType=0

Type=Information

ComputerName=xxx.xxx.xxx

TaskCategory=User Account Management

OpCode=Info

RecordNumber=348148916

Keywords=Audit Success

Message=

Thank you for your help.

0 Karma

SplunkTrust
SplunkTrust

hello there,
per this webiste: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740
this is an example of EventCode 4740 A user account was locked out:

Subject:

   Security ID:  SYSTEM
   Account Name:  WIN-R9H529RIO4Y$
   Account Domain:  WORKGROUP
   Logon ID:  0x3e7

Account That Was Locked Out:

   Security ID:  WIN-R9H529RIO4Y\John
   Account Name:  John

Additional Information:

   Caller Computer Name: WIN-R9H529RIO4Y

it does not contain a message.
therefore, message field as no value

hope it clears it a little

0 Karma

Splunk Employee
Splunk Employee

Fixing it for 6.5.5.

SplunkTrust
SplunkTrust

very odd,
i thought 6.6.0 was just released yesterday...

0 Karma

New Member

Bill, were you able to figure this out? We're experiencing the same in our environment.

0 Karma

Communicator

I talked to support and apparently when reading windows events from a file, the message data is not collected. I did not find a fix for this, but you may also want to consult support.

0 Karma

Communicator

FWIW, my props and tranforms.conf are identical to yours and I'm not seeing that behavior. My REGEX experience is slight too but I don't think these examples are blacklisting. To clarify, you are looking at .conf's in the default folder but they could be superceded by conf's in the local folder..I'm just sayin'.

0 Karma

Communicator

I can confirm that there is no blacklisting. I think it may have to do with the REGEX for reporting the message, but I have no REGEX knowledge/experience.
I'm seeing this in SPLUNK_HOME/etc/system/default/props.conf:

[source::WinEventLog...]
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
**REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv**
KV_MODE=none
TRANSFORMS-FIELDS = strip-winevt-linebreaker

and in transforms.conf:

**[wel-message]**
REGEX = (?sm)^(?<_pre_msg>.+)\nMessage=(?.+)$
CLEAN_KEYS = false

**[wel-eq-kv]**
SOURCE_KEY = _pre_msg
DELIMS     = "\n","="
MV_ADD     = true

**[wel-col-kv]**
SOURCE_KEY = Message
REGEX      = \n([^:\n\r]+):[ \t]++([^\n]*)
FORMAT     = $1::$2
MV_ADD     = true
0 Karma

Communicator

In my limited time using splunk, I've not seen an app automatically do blacklisting.

I've done blacklisting in inputs.conf like:

[WinEventLog://Security]
blacklist1 = EventCode=4662 Message="Object Type:\s+(?!groupPolicyContainer)"

0 Karma

Communicator

No blacklisting was done manually. Could it have been blacklisted automatically by an app or config? I'm checking out the inputs/outputs/transforms files on the hvy forwarder now. Any suggestions on what I should be looking for? Thanks Jeff.

0 Karma

Communicator

Is your inputs.conf for the HF blacklisting this field?

0 Karma