Re: How To Know WinLogs Stanza Per Event ID

morethanyell · ‎11-05-2020

Hi,

I got a request to onboard Event IDs 3039, 3040, 3041, 2886, 2887, 2888, 2889. I tried to Google them but couldn't see anything that will tell which logsource they're from.

I don't know if I should put them under System i.e.

[WinEventLog://System]
index = winlogs_of_domain_controllers
whitelist = 2886-2889,3039-3041

Or Security i.e.

[WinEventLog://Security]
index = winlogs_of_domain_controllers
whitelist = 2886-2889,3039-3041

I was hoping someone could point me to a trusty website?

Thank you.

Richfez · ‎11-05-2020

Ask the person who requested those to be ingested.

Event IDs can be duplicated for different purposes across many different event logs, so a System 3039 may exist, and a Security 3039 may exist, and they may be completely different types of events. You absolutely have to know which event 3039 they want you to ingest.

Happy Splunking

-Rich

morethanyell · ‎11-05-2020

Understood. I never thought that Event Codes can have duplicates in System and Security. Thanks a bunch.

How To Know WinLogs Stanza Per Event ID

configuration

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Are you a member of the Splunk Community?