As best as I can tell there is a bug between the Splunk Enterprise Security App and Splunk Add-On for Windows. The Splunk Enterprise Security App Windows Event Log Cleared looks for sourcetype=wineventlog:security. However the Splunk Add-On for Windows props file that renames wineventlog:security back to wineventlog causing the Windows Event Log Cleared to never fire.
Additionally, the transform regex may be wrong, not sure, could not get it to fire as written so I created a custom transform, (?m)^LogName=(\S+).
is there a question here?
what is the version of the windows TA you are using?
iirc, the 5.0 version has those bugs and it says somewhere in the docs to go back to 4.8.4
I guess sort of a question, I am new to transforms and props configuration files so it was a sanity check. Maybe my team and I made a mistake and installed a later version of the Add-On for Microsoft version 5.0.1 but we believe it came with ES 5.20 when we installed hence our confusion and concern if it is a known issue. This is a test environment so maybe we missed something. Thanks for the info.