How To Know WinLogs Stanza Per Event ID

morethanyell · ‎11-05-2020

Hi,

I got a request to onboard Event IDs 3039, 3040, 3041, 2886, 2887, 2888, 2889. I tried to Google them but couldn't see anything that will tell which logsource they're from.

I don't know if I should put them under System i.e.

[WinEventLog://System]
index = winlogs_of_domain_controllers
whitelist = 2886-2889,3039-3041

Or Security i.e.

[WinEventLog://Security]
index = winlogs_of_domain_controllers
whitelist = 2886-2889,3039-3041

I was hoping someone could point me to a trusty website?

Thank you.

Richfez · ‎11-05-2020

Ask the person who requested those to be ingested.

Event IDs can be duplicated for different purposes across many different event logs, so a System 3039 may exist, and a Security 3039 may exist, and they may be completely different types of events. You absolutely have to know which event 3039 they want you to ingest.

Happy Splunking

-Rich

morethanyell · ‎11-05-2020

Understood. I never thought that Event Codes can have duplicates in System and Security. Thanks a bunch.

How To Know WinLogs Stanza Per Event ID

configuration

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How To Know WinLogs Stanza Per Event ID

configuration

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?