Hello everyone,
I installed and configured the Splunk Forwarder on a machine. While the logs are being forwarded to Splunk, I’ve noticed that some data is missing from the logs that are coming through.
Could this issue be related to specific configurations that need to be adjusted on the forwarder, or is it possible that the problem is coming from the machines themselves? If anyone has experienced something similar or has insights on how to address this, I would greatly appreciate your advice.
Thank you in advance for your help!
Best regards,
There are several possible scenarios why you can't se the data you think should be getting into Splunk.
1. The data is actually not being properly read or otherwise received by the UF - check your inputs and their state, check the splunkd.log for any sign of UF having problems with inputs. And check if files are not being either not found by your input definitions or skipped due to - for example - crc duplication due to common header or if files simply cannot be read due to insufficient permissions.
2. The data might be configured to be sent to non-existant indexes. If you don't have a last-chance index defined, such events would get discarded.
3. There might be a configuration in place which does some filtering or redirection to other index(es).
4. The data might be getting indexed properly but you might be having problems with time recognition (especially with wrongly set timezones) resulting in events indexed at wrong point in time - that would mean that you're simply not seeing your events because your search range doesn't cover the events being indexed since they are "late".
Hi @BRFZ ,
which are missing logs?
are they missing always or only in few moments?
how did you find that there are missed logs?
Ciao.
Giuseppe
Hello @gcusello,
For example, in some events, we have the IP address, while in others, we just see a dash ("-") or 0, even for the same event ID.
Exemple :
<Event xmlns=' http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID> 4624 </EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2014-04-24T18:38:37.868683300Z'/><EventRecordID>412598</EventRecordID><Correlation/><Execution ProcessID='192' ThreadID='210980'/><Channel>System</Channel> <Computer>TEST</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S18</Data><Data Name='SubjectUserName'>BOB</Data><Data Name='SubjectDomainName'>GOZ</Data><Data Name='SubjectLogonId'>x0</Data><Data Name='TargetUserSid'>s20</Data><Data Name='TargetUserName'>BOBT</Data><Data Name='TargetDomainName'>TESTTGT</Data><Data Name='TargetLogonId'>x0</Data><Data Name='LogonType'>x</Data><Data Name='LogonProcessName'>usr </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>tst</Data><Data Name='LogonGuid'>{845152}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>mspam</Data><Data Name='ProcessName'>test.ee</Data><Data Name='IpAddress'>x.x.x.x</Data><Data Name='IpPort'>0</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>mlmpknnn</Data><Data Name='TargetOutboundUserName'>-</Data><Data </EventData></Event>
In this example, it's related to the IP address and port. In some cases, we have a specific IP address, while in others, it's just a dash ("-"). Similarly, for the port, sometimes it shows a dash ("-"), and other times it shows a 0, or sometimes the port is correctly specified.
That's pretty normal for Windows events. Not every log has every field. And not every field has a reasonable value each time. This is from my home lab.
Hi @BRFZ ,
I don't think that's a Splunk issue: see the generated logs.
If it could be a splunk issue you could have a truncated log, but not a missing internal part of the event.
Unless you have a masking policy.
Ciao.
Giuseppe