Splunk Enterprise

How is Splunk creating the signature_id field for Windows Event Logs?

ejwade
Contributor

I'm trying to troubleshoot some Windows Event Log events coming into Splunk.

The events are stream processed, and come in as JSON. Here is a sample (obfuscated).

{"Version":"0","Level":"0","Task":"12345","Opcode":"0","Keywords":"0x8020000000000000","Correlation_ActivityID":"{99999999-9999-9999-9999-999999999999}","Channel":"Security","Guid":"99999999-9999-9999-9999-999999999999","Name":"Microsoft-Windows-Security-Auditing","ProcessID":"123","ThreadID":"12345","RecordID":"999999","TargetUserSid":"AD\\user","TargetLogonId":"0xXXXXXXXXX"}

There are a number of indexed fields as well, including "Computer" and "EventID".

What's interesting - signature_id seems to be created, but when I search on it, it fails. In this event, signature_id is shown under "Interesting Fields" with the value 4647, but if I put signature_id=4647 in the search line, it comes back with no results. If I put EventID=4647, it comes back with the result. I'm using Smart Mode.

This led me to digging into the Fields configurations (alias', calculations, etc.) but I couldn't figure out how signature_id was created in the Windows TA. Can anyone provide any insight?

Thank you!
Ed

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

It does not look like any standard Splunk Windows-related sourcetype so it's hard to say from experience. You need to find the source of the file yourself. It might be either an indexed field or search-time extraction (for which you can just brute-force grep all your .conf files if all else fails).

0 Karma

m_pham
Splunk Employee
Splunk Employee

Hi - can you post name of the sourcetype to the event where EventID=4647 comes up? You can then search for the sourcetype name in Splunk_TA_windows/default/props.conf to see how signature_id field is created.

0 Karma

ejwade
Contributor

Hi @m_pham. I am using a standard source and sourcetype.

sourcetype="xmlwineventlog"
source="WinEventLog:Security"

Thank you!

0 Karma

m_pham
Splunk Employee
Splunk Employee

So a few questions:

What is the version number of the Windows TA are you using on your search head?

What version number of the Windows TA on your UF for this data? What does your inputs.conf look like for the following stanza? [WinEventLog://Security]

Like @PickleRick said in his comment, this doesn't look like a standard Windows Event Log.

0 Karma

ejwade
Contributor

The Windows TA on the search heads is 8.6.0, and the Windows TA on the HF us 9.0.6.

Here is the inputs.conf stanza for Security.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = test_i
renderXml=true

 The events are stream processed, and come in as JSON.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

What do you mean by "stream processed"?

This config stanza should produce XML-formatted evetns, not jsons. So something is actively fiddling with your data before it's ingested. You should check the config of that solution.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. This is definitely not what XML windows events look like.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...