Security

How to capture Windows Event Code 4672?

don625
New Member

I'm not sure where to look, but I was trying to capture Event ID/Code 4672, which is in the Windows Security logs, but I cannot find it within Splunk. I am using Universal Forwaders and so far I am seeing everything I'm looking for except that Event code. Any idea where I can look to see if it's being filtered? I've looked in E:>Program Files>Splunk>etc>system>local at the transforms.conf file and don't see it listed. I wasn't sure if that is a filter of what to include or exclude.
Thanks.

Tags (2)
0 Karma

dflodstrom
Builder

To enable collection of the security log you'll want disabled=0

[WinEventLog://Security]
 disabled = 0

muebel
SplunkTrust
SplunkTrust

first I would verify that you are indexing the Security Eventlog.

[WinEventLog://Security]
disabled = 1

Once you are sure that you are indexing the security eventlog, just search for "4672" on that sourcetype and see if anything comes up.

0 Karma

don625
New Member

In /Splunk/etc/system/local/inputs.conf it's set to 0 and I am getting a bunch of Windows Security events, except 4672. So far I cannot figure out why it's not being collected.

[WinEventLog://Application]
disabled = 0

[WinEventLog://ForwardedEvents]
disabled = 1

[WinEventLog://HardwareEvents]
disabled = 1

[WinEventLog://Internet Explorer]
disabled = 1

[WinEventLog://Security]
disabled = 0

[WinEventLog://Setup]
disabled = 0

[WinEventLog://System]
disabled = 0

0 Karma

dflodstrom
Builder

Check Program Files/Splunk/etc/system/local/props.conf and Program Files/Splunk/etc/system/local/transforms.conf to see if there is anything related to that event code or your Windows Security log. This is a noisy event so they may have blacklisted it.

Are you deploying any configurations to them that might have this event blacklisted ... custom TA or the Splunk_TA_windows with local settings?

Are you sending these events to an indexer or is this a single instance Splunk deployment? There might be configurations on your indexer/heavy forwarders that are filtering this event if you have them

0 Karma

don625
New Member

I checked the files, Program Files/Splunk/etc/system/local/props.conf and Program Files/Splunk/etc/system/local/transforms.conf and cannot find the code.

Yes the events are coming from servers with Universal forwarders. I don't think we are blocking with any configs to them. I checked one of the DCs and the props or transforms files in the SplunkUniversalForwarder/etc/apps/Splunk_TA_windows/default directory don't have anything with that event and those files aren't in the local directory.

This is a single instance of Splunk.

0 Karma

dflodstrom
Builder

/Splunk_TA_windows/default/inputs.conf should have this by default for WinEventLog://Security:

[WinEventLog://Security]
disabled = 1
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog
renderXml=false

Unless you have a transforms somewhere that applies to the source/sourcetype that applies to these events I am also confused. Have you tried using btool to help determine what configurations are being applied to your source/sourcetype?

0 Karma

don625
New Member

The default\inputs.conf looks like this. I couldn't find that code in tranforms. I haven't use btools. I will look into that. Thanks.

[WinEventLog://System]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5

0 Karma

dflodstrom
Builder

Since these inputs are disabled by default are you enabling them somewhere? .../Splunk_TA_windows/local/ or otherwise? Perhaps where they are enabled they're also being blacklisted.

0 Karma

don625
New Member

I was searching and found then enabled here - Program Files/Splunk/etc/system/local/inputs.conf. I'm guessing this overrides the default inputs.conf and I do have a ton of Windows Security events, just not finding that specific event for some reason. We had a 3rd party set this up and they are out of business, so I was trying to figure it out. I may have to get a consultant to help figure this out. Thanks for all of the help.

/Splunk/etc/system/local/inputs.conf
[WinEventLog://Application]
disabled = 0

[WinEventLog://ForwardedEvents]
disabled = 1

[WinEventLog://HardwareEvents]
disabled = 1

[WinEventLog://Internet Explorer]
disabled = 1

[WinEventLog://Security]
disabled = 0

[WinEventLog://Setup]
disabled = 0

[WinEventLog://System]
disabled = 0

0 Karma

dflodstrom
Builder

Are you positive that this event is being logged at the source? The filtering would happen in .../Splunk/etc/apps/Splunk_TA_windows/default/

0 Karma

jkeellogic
Explorer

I have a similar interest except I want to capture Win Event code 4738.

I know and collected winEventlog:security to my Splunk environment, and i would like to capture code 4738 from each UF to send to me as and alert. Maybe store it in a different index?

I have hit a wall in the number of UF that I received security logs. In my case its 16 out of 31 I collect.

I still want all of the security logs but I would like to extract 1 2 or 3 Eventcode from the security logs as quickly as possible.

jim

0 Karma

don625
New Member

Thanks for the response. Yes, I can see Event ID: 4672 in the Windows Security logs for the server I am testing. Strange. I tried just searching for 4672 and get nothing. I have about 80 forwarders installed and verified that I am collecting the Security logs. I tested a few looking in the Windows Security log and searching on some Event ID's, 4624 and 4768 and can find those without issue searching Splunk.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...