Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search not producing event types
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello. I am trying to get interactive logon logs for all workstations in an organization. The event code for this log is 4624 with the Event Type 2. I am only seeing Event Type 0 in Splunk when I do a search. When I view the logs in Event Viewer on a test workstation I am seeing all the Logon Types. I have been searching a lot for answers and have tried every solution but none of them give me the results I need.
What I have done:
1.) Confirmed that the event log collections for security logs is enabled with the wineventlog index in Data Inputs on the Deployment Server.
2.) I created a whitelist in the local directory of that app for the inputs.conf file with the following format:
[WinEventLog://Security]
disabled = 0
whitelist = EventCode="4624" Message="LogonType=2"
also tried this,
[WinEventLog://Security]
disabled = 0
whitelist = EventCode="4624"
I created a REGEX in the local directory of that app for the transforms.conf file with the following format:
REGEX = (?msi)EventCode=4624.<em>Logon Type:\s</em>(2|10)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume when you refer to "that app", you're referring to the Splunk TA for Windows. Try setting your inputs.conf whitelist to:
whitelist = EventCode="4624" Message="Logon Type:\s+2"
I'm not sure what you're trying to do with the transforms - the Windows TA should parse the logon type field to "Logon_Type".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume when you refer to "that app", you're referring to the Splunk TA for Windows. Try setting your inputs.conf whitelist to:
whitelist = EventCode="4624" Message="Logon Type:\s+2"
I'm not sure what you're trying to do with the transforms - the Windows TA should parse the logon type field to "Logon_Type".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. That seems to have fixed the issue.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
