I have a bunch of splunk forwarders installed to collect windows logs and send to them to a collector. The forwarders are installed on Windows XP, 2003, 7, and Server 2008 machines. The forwarders have all windows logs set as data inputs. On the Windows XP machines, I keep seeing a security failure audit in the security log. It occurs approximately every 5 seconds and I believe this is occurring because I am trying to get the security log, because if I remove the data input for that log no errors are generated. This error is causing the security logs to not be forwarded to the collector. As far as I can tell there is no GPO set up to restrict access to the security log and the forwarders are set up the exact same way throughout the network (no other machines are experiencing this problem). The user account that splunk uses to log in is a domain admin account. I've tried adding the splunk account to the Auditors group on the XP machines, but that didn't help. Are you aware of any security settings on Windows XP that could be causing this problem? Is there anything you could suggest to try to rectify the situation?
I'll have to ask someone to check those logs. I'm no longer on site at the moment.
Is there an error message in splunkd.log about this particular behavior that can be correlated to the time when your receiving the security event?
What version of XP are you running?
There is a case where improper permissions will prevent remote access to the Registry on a computer running Windows XP; that is documented in this Microsoft KB article. At the very least, you'll want to make sure the user Splunk runs as has at least Read Allow access to this Registry key.
In the interests of security, it's best to put your Splunk account into a domain group, and then nest that group into a local group that already has access to this key.