Getting Data In

windows 2003 server security logs

jbanda
Path Finder

I have an issue that I hope is the result of a painfully obvious misconfiguration on my part. I have a splunk indexer running the 64 bit version of splunk 4.1.4 on a rhel 5.5 64 bit machine, and there is a "similar enough" version with the same specifications I have running in a test environment. I haven't had much experience trying the windows app (mostly been using it to harvest log files from exchange and IIS servers on the windows side), but I'm trying to use the windows app to get some login reports going.

Attepting to get some information out, I noticed that our windows 2008 boxes seemed to be reporting on all 3 default event log types successfully, but for some reason, our 2003 boxes were only reporting on the application and system logs. Thinking I may have messed something up along the way, I tried it in the test splunk server we have, pointing a few test windows 2008 and 2003 boxes to it. I was getting the same results (oh, and all clients were also running 4.1.4 and were acting as light forwarders with the windows app enabled).

For comparison-sake, this is the inputs.conf file in our test environment for both the windows 2003 and windows 2008 server:

[default]
evt_dc_name =
evt_dns_name =

[WinEventLog:Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 0
checkpointInterval = 5

[WinEventLog:System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[monitor://$WINDIR\WindowsUpdate.log]
sourcetype = WindowsUpdateLog
disabled = 0

With that inputs.conf on both servers, I can see security events coming from the windows 2008 box (showing up with a sourcetype of "WinEventLog:Security", but I cannot see this same sourcetype for our windows 2003 box, although I do see the other 2 sourcetypes (WinEventLog:System and WinEventLog:Application).

I do notice this entry in the splunkd.log file on the windows 2003 server:

"INFO  WinEventLogChannel - initWinEvtApi: We must be in an XP/2k3 family OS. Switching using the old Windows Event Log api: The specified module could not be found.."

However, later on in the same log file on the same box, I see this:

"INFO  WinEventLogChannel - Initialized Windows Event Log='Security' Success; oldest_rec_id='11422142'; newest_rec_id='11476627'; total_rec='54486'
INFO  WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Security'"

and then later, I see this:

"WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Security': total_events='56849' with empty_msg='0'."

Looks like its at least trying to read the security events...but I'm not sure why they aren't showing up on our indexer (at least not with that sourcetype and/or associated with the correct host)

Is there anything special that I'm missing that has to be done for windows 2003 server light forwarders?

0 Karma

samjack
New Member

Have you tested using the latest version of the forwarder? That is what I would try. I doubt updating the version of the forwarder without updating the Splunk indexer version will matter much in this case.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...