Splunk Dev

Security log is full from Windows is not forwarded to Splunk

phamanh1652
Explorer

Hello All,

We send logs from Windows to Splunk via Universal Forwarder. We want to create alerts for Event ID 1104 - The security log is full and 1105 - Log automatic backup.

However, when searching, we cannot find either of these events.

When reviewing the log files (EVTX), Event ID 1104 appears as the final entry in the archived log, while Event ID 1105 is the initial entry in the newly created EVTX file.

phamanh1652_1-1753845932886.png

Here is the configuration for log archiving:

phamanh1652_0-1753845777458.png

0 Karma

phamanh1652
Explorer

For inputs.conf file, we've already enabled the Security log (and others). While other Security Event IDs, like those in the 472x range, are successfully searchable in Splunk, Event IDs 1104 and 1105 are conspicuously absent from search results.

phamanh1652_0-1753862993151.png

 

0 Karma

PrewinThomas
Builder

@phamanh1652 

What's your inputs.conf look like.

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @phamanh1652 ,

I suppose that you're using the Splunk_TA_Windows, did you checked if, in the inputs.log, there's a filter on WinEventLog:Security logs: sometimes not all the EventCodes areindexed.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...