Splunk Enterprise
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Re: Splunk UF WinEventlog Security Event data miss...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk UF WinEventlog Security Event data missing
rukshar
Explorer
03-19-2025
08:39 PM
We are trying to configure event monitoring for Security Event ID 4624 (successful login) and Event ID 4625 (unsuccessful login) for an Account. We have created the app with the below stanza in inputs.conf file
[WinEventLog://Security]
index = wineventlog
sourcetype=Security:AD_Sec_entmon
disabled = 0
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 300
whitelist = EventCode="4624|4625"
#renderXml=false
However, there is no data though the app has been successfully deployed.
Please assist me on this issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
iamsahilshaiks
Splunk Employee
04-03-2025
12:54 PM
I think your whitelist setting should be correctly formatted; try using whitelist = 4624,4625 to ensure proper filtering and, confirm whether renderXml=false is appropriate, as XML-based logs may require renderXml=true for accurate extraction.
Next, check if Windows is generating these events by running this command in PowerShell.
Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4624 -or $_.Id -eq 4625 } | Select-Object -First 10
If no events appear, ensure that Windows auditing policies are correctly configured by navigating to gpedit.msc → Advanced Audit Policy Configuration → Audit Policies → Logon/Logoff → Audit Logon, and verifying that success and failure logging is enabled.
You can also confirm this by running auditpol /get /subcategory:"Logon" in PowerShell.
If you see errors like - It could indicate a misconfiguration in inputs.conf
ERROR ExecProcessor - message from "WinEventLog" The parameter is incorrect.
And, perform a Splunk search to confirm if any relevant events have been indexed by running :
index=* sourcetype=Security:AD_Sec_entmon EventCode=4624 OR EventCode=4625.
If no results appear, try searching with index=* EventCode=4624 OR EventCode=4625
OR check index metadata with | metadata type=sourcetypes index=wineventlog.
If data is still missing, it’s worth testing with the default Splunk sourcetype by modifying inputs.conf to use sourcetype=WinEventLog:Security instead.
[WinEventLog://Security]
index = wineventlog
sourcetype=WinEventLog:Security
disabled = 0
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 300
whitelist = 4624,4625
After making any configuration changes, restart the Splunk Universal Forwarder using splunk restart or Restart-Service SplunkForwarder on Windows.
Thanks,
Shaik Sahil
Splunk Core Certified Consultant
Shaik Sahil
Splunk Core Certified Consultant
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PickleRick
SplunkTrust
04-04-2025
01:10 AM
Let me interject here, @iamsahilshaiks
For regex-based whitelisting it's not as simple as just puting the regex on its own. See https://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#Event_Log_allow_list_and_deny_l... - you have to
1. Provide a key which will be matched against the regex
2. Enclose the regex in delimiters of your choice.
So your example of whitelist = (?m)^4624$|^4625$ is completely wrong.
Additionally, if you're exporting events as XML (which is currently the preferred way because traditional format tends to have some problems with parsing), you use XmlRegex key for filtering.
splunk list monitor only list - as the name says - monitor type inputs which read files from the disk. Windows event log sources are not of monitor type.
Last time I checked, grep was neither a standard CMD-usable tool nor a standard powershell cmdlet. And Windows doesn't use the $ notation for environment variables.
As far as I remember, the events from Security log are not recast to another sourcetype. And actually your input stanza matches the "old way" of ingesting windows logs, which hasn't been used for several years now. Currently, the sourcetype for all windows logs should be WinEventlog or XmlWinEventlog depending on whether you're rendering them to XML or not. It's the source field which specifies the point of origin.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
marnall
Motivator
04-03-2025
10:38 AM
In addition to the other answers, you may also want to check that your forwarder is not having permission problems in reading the Security wineventlog. If you install the unprivileged windows forwarder and do not add the SplunkForwarder virtual user to the "Event Log Readers" group, then it may fail to subscribe to the Security event log channel.
Search: (assuming that your forwarder IS sending internal logs, but not windows event logs)
index=_internal host=<host> errorCode=5 "unable to subscribe to Windows Event Log"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
splunkmarroko
Engager
04-03-2025
09:23 AM
hello @rukshar ,
the stanza looks good, make sure it is placed in the right location:
either: /opt/splunkforwarder/etc/system/local
or : /opt/splunkforwarder/etc/apps/<yourapp>/local
also double check you have an outputs.conf , also a quick restart won't hurt.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
livehybrid
Super Champion
03-20-2025
01:45 AM
Hi @rukshar
Do you have theSplunk_TA_windows installed as well?
If you not making the changes in Splunk_TA_windows/local and are using your own custom app with a default directory rather than local then you need to make sure the custom app has a higher order of precedence than the Splunk_TA_windows app. e.g 100_yourOrg_wininputs (Precendence goes 0-9A-Za-z)
For more info on precedence check out https://docs.splunk.com/Documentation/Splunk/latest/admin/Wheretofindtheconfigurationfiles
Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PickleRick
SplunkTrust
03-20-2025
01:15 AM
1. Why are you using custom sourcetype? There are already well-defined knowledge objects for the standard windows eventlog sourcetypes which come with TA_windows.
2. You can't define two separate instances of the same input (in your case - WinEventLog://Security). So check with btool what are the effective settings for your input after layering your own app and windows built-in stuff (and possibly TA_windows).
Get Updates on the Splunk Community!
How to send events & findings from AWS to Splunk using Amazon EventBridge
Amazon EventBridge is a serverless service that uses events to connect application components together, making ...
Exciting News: The AppDynamics Community Joins Splunk!
Hello Splunkers,
I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
The All New Performance Insights for Splunk
Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
