In /Splunk/etc/system/local/inputs.conf it's set to 0 and I am getting a bunch of Windows Security events, except 4672. So far I cannot figure out why it's not being collected.

[WinEventLog://Application]
disabled = 0

[WinEventLog://ForwardedEvents]
disabled = 1

[WinEventLog://HardwareEvents]
disabled = 1

[WinEventLog://Internet Explorer]
disabled = 1

[WinEventLog://Security]
disabled = 0

[WinEventLog://Setup]
disabled = 0

[WinEventLog://System]
disabled = 0

Check Program Files/Splunk/etc/system/local/props.conf and Program Files/Splunk/etc/system/local/transforms.conf to see if there is anything related to that event code or your Windows Security log. This is a noisy event so they may have blacklisted it.

Are you deploying any configurations to them that might have this event blacklisted ... custom TA or the Splunk_TA_windows with local settings?

Are you sending these events to an indexer or is this a single instance Splunk deployment? There might be configurations on your indexer/heavy forwarders that are filtering this event if you have them

I checked the files, Program Files/Splunk/etc/system/local/props.conf and Program Files/Splunk/etc/system/local/transforms.conf and cannot find the code.

Yes the events are coming from servers with Universal forwarders. I don't think we are blocking with any configs to them. I checked one of the DCs and the props or transforms files in the SplunkUniversalForwarder/etc/apps/Splunk_TA_windows/default directory don't have anything with that event and those files aren't in the local directory.

This is a single instance of Splunk.

The default\inputs.conf looks like this. I couldn't find that code in tranforms. I haven't use btools. I will look into that. Thanks.

[WinEventLog://System]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5

Since these inputs are disabled by default are you enabling them somewhere? .../Splunk_TA_windows/local/ or otherwise? Perhaps where they are enabled they're also being blacklisted.

I was searching and found then enabled here - Program Files/Splunk/etc/system/local/inputs.conf. I'm guessing this overrides the default inputs.conf and I do have a ton of Windows Security events, just not finding that specific event for some reason. We had a 3rd party set this up and they are out of business, so I was trying to figure it out. I may have to get a consultant to help figure this out. Thanks for all of the help.

/Splunk/etc/system/local/inputs.conf
[WinEventLog://Application]
disabled = 0

[WinEventLog://ForwardedEvents]
disabled = 1

[WinEventLog://HardwareEvents]
disabled = 1

[WinEventLog://Internet Explorer]
disabled = 1

[WinEventLog://Security]
disabled = 0

[WinEventLog://Setup]
disabled = 0

[WinEventLog://System]
disabled = 0

I have a similar interest except I want to capture Win Event code 4738.

I know and collected winEventlog:security to my Splunk environment, and i would like to capture code 4738 from each UF to send to me as and alert. Maybe store it in a different index?

I have hit a wall in the number of UF that I received security logs. In my case its 16 out of 31 I collect.

I still want all of the security logs but I would like to extract 1 2 or 3 Eventcode from the security logs as quickly as possible.

jim

Thanks for the response. Yes, I can see Event ID: 4672 in the Windows Security logs for the server I am testing. Strange. I tried just searching for 4672 and get nothing. I have about 80 forwarders installed and verified that I am collecting the Security logs. I tested a few looking in the Windows Security log and searching on some Event ID's, 4624 and 4768 and can find those without issue searching Splunk.