Hello. I am trying to get interactive logon logs for all workstations in an organization. The event code for this log is 4624 with the Event Type 2. I am only seeing Event Type 0 in Splunk when I do a search. When I view the logs in Event Viewer on a test workstation I am seeing all the Logon Types. I have been searching a lot for answers and have tried every solution but none of them give me the results I need.
What I have done:
1.) Confirmed that the event log collections for security logs is enabled with the wineventlog index in Data Inputs on the Deployment Server.
2.) I created a whitelist in the local directory of that app for the inputs.conf file with the following format:
[WinEventLog://Security]
disabled = 0
whitelist = EventCode="4624" Message="LogonType=2"
also tried this,
[WinEventLog://Security]
disabled = 0
whitelist = EventCode="4624"
I created a REGEX in the local directory of that app for the transforms.conf file with the following format:
REGEX = (?msi)EventCode=4624.<em>Logon Type:\s</em>(2|10)
I assume when you refer to "that app", you're referring to the Splunk TA for Windows. Try setting your inputs.conf whitelist to:
whitelist = EventCode="4624" Message="Logon Type:\s+2"
I'm not sure what you're trying to do with the transforms - the Windows TA should parse the logon type field to "Logon_Type".
I assume when you refer to "that app", you're referring to the Splunk TA for Windows. Try setting your inputs.conf whitelist to:
whitelist = EventCode="4624" Message="Logon Type:\s+2"
I'm not sure what you're trying to do with the transforms - the Windows TA should parse the logon type field to "Logon_Type".
Thank you. That seems to have fixed the issue.