Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to identify user or process responsible for stopping the Splunk UF agent

Rastegui
Engager
‎03-10-2025 09:26 PM

I am trying to identify the user or process responsible for stopping the Splunk UF agent. What log source do I require to be able to see this.

I have unsuccessfully tried:

  • Searching in internal index - You can only see the service going down. 
    • index=_internal sourcetype=splunkd host="DC*" component=Shutdown*
  • Monitoring the windows system event log for forwarder shutdown event (EventCode 7036 )
    • No visibility on who performed the action.

Looking for ideas on how this can be achieve from Splunk.

0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-10-2025 10:57 PM

@Rastegui 

To pinpoint the user or process stopping the Splunk UF, you need to look beyond Splunk’s internal logs and Windows System Events alone. 
 
Enable and Monitor Windows Security Event Logs
 
  • Required Log Source: Windows Security Event Log (WinEventLog:Security)
  • The Security Event Log can capture events related to service control actions if auditing is enabled.
  • Specifically, Event ID 4656 (with proper auditing) or Event ID 4670 (permissions changes) might indicate when a user or process interacts with the SplunkForwarder service.
  • Ensure the Splunk UF is configured to forward Windows Security Event Logs

 

Useful Windows Security Event Log codes to monitor for identifying the user or process responsible for stopping the Splunk UF agent:

Event ID 4688: Logs the creation of a new process. This can help identify the process responsible for stopping the Splunk UF agent.
Event ID 4648: Logs the use of explicit credentials. This can help identify the user who performed the action.
Event ID 4624: Logs successful account logons. This can help track user activity.
Event ID 4625: Logs failed account logons. This can indicate unauthorized attempts to access the system.
Event ID 1102: Logs audit log clearance. This can indicate an attempt to cover tracks.

By monitoring these event codes, you should be able to get a clearer picture of the user or process responsible for stopping the Splunk UF agent.

Please check this https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/ 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-10-2025 10:52 PM

@Rastegui 

  • The _internal index logs Splunk’s own operational data, including shutdown events. However, it typically only records that the service stopped (e.g., "Splunkd daemon is shutting down") and not who or what triggered it. This is because Splunk UF doesn’t natively track external triggers in detailit’s a lightweight agent focused on forwarding data, not auditing administrative actions.
kiran_panchavat_0-1741672281646.png

 

Event ID 7036 in the Windows System Event Log indicates that a service (like SplunkForwarder) changed state (e.g., stopped), but it doesn’t consistently log the user or process responsible for stopping it. This event is generated by the Service Control Manager (SCM) and lacks the context of the initiating action unless additional auditing is enabled.

  • Event ID 4688: This event logs the creation of a new process, which can help identify the process responsible for stopping the Splunk UF agent.
  • Event ID 4648: This event logs the use of explicit credentials, which can help identify the user who performed the action

Audit Logs: Enable auditing on the server to capture detailed information about user actions and process executions. This can provide more visibility into who performed the action

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...