Splunk Enterprise Security and Splunk Add-On for W...

jeburkes76 · ‎12-10-2018

As best as I can tell there is a bug between the Splunk Enterprise Security App and Splunk Add-On for Windows. The Splunk Enterprise Security App Windows Event Log Cleared looks for sourcetype=wineventlog:security. However the Splunk Add-On for Windows props file that renames wineventlog:security back to wineventlog causing the Windows Event Log Cleared to never fire.

Additionally, the transform regex may be wrong, not sure, could not get it to fire as written so I created a custom transform, (?m)^LogName=(\S+).

adonio · ‎12-10-2018

is there a question here?
what is the version of the windows TA you are using?
iirc, the 5.0 version has those bugs and it says somewhere in the docs to go back to 4.8.4

jeburkes76 · ‎12-14-2018

I guess sort of a question, I am new to transforms and props configuration files so it was a sanity check. Maybe my team and I made a mistake and installed a later version of the Add-On for Microsoft version 5.0.1 but we believe it came with ES 5.20 when we installed hence our confusion and concern if it is a known issue. This is a test environment so maybe we missed something. Thanks for the info.

Splunk Enterprise Security and Splunk Add-On for Windows

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms