Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How To Know WinLogs Stanza Per Event ID

morethanyell
Builder
‎11-05-2020 04:42 AM

Hi,

I got a request to onboard Event IDs 3039, 3040, 3041, 2886, 2887, 2888, 2889. I tried to Google them but couldn't see anything that will tell which logsource they're from.

I don't know if I should put them under System i.e.

 

 

[WinEventLog://System]
index = winlogs_of_domain_controllers
whitelist = 2886-2889,3039-3041

 

 

Or Security i.e.

 

[WinEventLog://Security]
index = winlogs_of_domain_controllers
whitelist = 2886-2889,3039-3041

 

 

I was hoping someone could point me to a trusty website?

 

Thank you.

Labels (1)
Labels
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-05-2020 06:33 AM

Ask the person who requested those to be ingested.

Event IDs can be duplicated for different purposes across many different event logs, so a System 3039 may exist, and a Security 3039 may exist, and they may be completely different types of events.  You absolutely have to know which event 3039 they want you to ingest.

Happy Splunking

-Rich

0 Karma
Reply

morethanyell
Builder
‎11-05-2020 06:44 AM

Understood. I never thought that Event Codes can have duplicates in System and Security. Thanks a bunch.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...