Security

Why am I not receiving events for shared folder events?

Sergio1
New Member

Estoy trabajando en un panel de equipo para eventos de carpetas compartidas, sin embargo no recibo eventos con eventcode 4663, ya habilité la política de auditoría y en las carpetas que quiero monitorear hice lo mismo, me guié con el siguiente enlace:  https://www.lepide.com/how-to/track-changes-made-to-files-of-shared-folder.html

Pero sigo sin recibir eventos de carpetas compartidas en splunk, alguien sabe que mas debo revisar para recibir este tipo de eventos?

I am working on a team panel for shared folder events, however I do not receive events with eventcode 4663, I have already enabled the audit policy and in the folders that I want to monitor I did the same, I was guided by the following link: https:// www.lepide.com/how-to/track-changes-made-to-files-of-shared-folder.html

But I still do not receive events from shared folders in splunk, does anyone know what else I should check to receive these types of events?

*post translated to English by Splunk staff

Labels (1)
0 Karma

javiergn
Super Champion

Hola @Sergio1 , antes de nada te recomiendo que escribas las preguntas en inglés para que llegue al máximo posible de oyentes y obtengas una respuesta más rápida.

Con respecto a tu pregunta, lo primero que deberías hacer es comprobar con el visor de eventos (Event Viewer) en Windows que los eventos 4663 se están generando.

En caso de que así sea hay varias cosas que puedes hacer con respecto a Splunk:

1) ¿Te llegan algún otro tipo de eventos Windows desde esa misma máquina? Si es así es posible que tu inputs.conf no esté bien configurado o que estés usando blacklist/whitelist incorrectamente.

2) Si no te llegan eventos Windows de ningún tipo, revisa bien la configuración local de tu Splunk Forwarder. Lo más sencillo si tienes acceso a esa máquina es que ejecutes btool sobre inputs.conf ($SPLUNK_HOME/bin/splunk btool inputs list --debug) para ver qué tienes configurado y las preferencias. Allí debería de haber alguna entrada tipo WinEventLog://Security donde o bien estás leyendo todos los eventos de Security o bien tienes un whitelist/blacklist especificando cuales lees.

3) Comprueba también que llegan eventos a los índices internos desde esa máquina. Simplemente usa index=_* host=YOURHOST, donde YOURHOST es la máquina que tiene que enviar los 4663. Así de paso compruebas conectividad con tus Indexers o Heavy Forwarders.

4) Otra cosa más, suponiendo que tu configuración de inputs.conf sea la correcta, ¿has especificado el index donde se van insertar estos eventos? Si no es así irá al que tengas por defecto, normalmente main. Y si has especificado otro, ¿te has asegurado de que el índice existe y tienes permisos para leer?

Yo empezaría por estos pasos, pero la solución dependerá mucho de lo que te vayas encontrando.

Un saludo

-----

TRANSLATED TO ENGLISH WITH CHATGPT (sorry I'm too lazy to bother and the outcome is actually very good):

 

Hello @Sergio1, first of all, I recommend that you write the questions in English so that it reaches as many listeners as possible and you get a faster response.

Regarding your question, the first thing you should do is check with the Event Viewer on Windows that the 4663 events are being generated.

If that's the case, there are several things you can do regarding Splunk:

1) Are you receiving any other types of Windows events from the same machine? If so, it's possible that your inputs.conf is not properly configured or you're using blacklist/whitelist incorrectly.

2) If you're not receiving any Windows events of any kind, thoroughly review the local configuration of your Splunk Forwarder. The easiest way, if you have access to that machine, is to run btool on inputs.conf ($SPLUNK_HOME/bin/splunk btool inputs list --debug) to see what you have configured and the preferences. There should be an entry like WinEventLog://Security where you're either reading all Security events or you have a whitelist/blacklist specifying which events you're reading.

3) Also, check if events from that machine are reaching the internal indexes. Simply use index=_* host=YOURHOST, where YOURHOST is the machine that should be sending the 4663 events. This way, you also test connectivity with your Indexers or Heavy Forwarders.

4) Another thing, assuming your inputs.conf configuration is correct, have you specified the index where these events should be inserted? If not, they will go to the default one, usually main. And if you have specified another index, have you ensured that the index exists and you have permissions to read from it?

I would start with these steps, but the solution will depend a lot on what you find along the way.

Best regards.

 

Javier

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...