Hi
Data loss or intermittent event visibility can occur at several points: source generation, forwarder collection/sending, network transport, or indexer processing/filtering.
- Verify Event Generation: First, confirm the Event ID 4724 is consistently generated in the Windows Security Event Log on the Domain Controller itself using the native Event Viewer during your tests. If it's not logged there reliably, the issue lies with Windows auditing configuration, not Splunk.
- Check Forwarder Configuration: Ensure the inputs.conf on the Universal Forwarder monitoring the Domain Controller has the correct stanza ([WinEventLog://Security]) and is enabled (disabled = false). Verify no blacklist or whitelist settings within this stanza or related props.conf/transforms.conf are unintentionally filtering Event ID 4724.
- Check Forwarder Status & Connectivity: Verify the Splunk forwarder service is running on the DC and can connect to the indexers. Check for errors in the forwarder's internal logs.
- Check Indexer Processing: Ensure no index-time filtering rules (props.conf/transforms.conf on indexers) are discarding these events (e.g., routing to nullQueue).
- Multiple Domain Controllers: Do you have multiple domain controllers? It could be that one/more of them are not configured correctly to send data to Splunk and therefore when this event is actioned against that particular DC then you do not get the logs in Splunk.
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
