- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search not producing event types
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello. I am trying to get interactive logon logs for all workstations in an organization. The event code for this log is 4624 with the Event Type 2. I am only seeing Event Type 0 in Splunk when I do a search. When I view the logs in Event Viewer on a test workstation I am seeing all the Logon Types. I have been searching a lot for answers and have tried every solution but none of them give me the results I need.
What I have done:
1.) Confirmed that the event log collections for security logs is enabled with the wineventlog index in Data Inputs on the Deployment Server.
2.) I created a whitelist in the local directory of that app for the inputs.conf file with the following format:
[WinEventLog://Security]
disabled = 0
whitelist = EventCode="4624" Message="LogonType=2"
also tried this,
[WinEventLog://Security]
disabled = 0
whitelist = EventCode="4624"
I created a REGEX in the local directory of that app for the transforms.conf file with the following format:
REGEX = (?msi)EventCode=4624.<em>Logon Type:\s</em>(2|10)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume when you refer to "that app", you're referring to the Splunk TA for Windows. Try setting your inputs.conf whitelist to:
whitelist = EventCode="4624" Message="Logon Type:\s+2"
I'm not sure what you're trying to do with the transforms - the Windows TA should parse the logon type field to "Logon_Type".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume when you refer to "that app", you're referring to the Splunk TA for Windows. Try setting your inputs.conf whitelist to:
whitelist = EventCode="4624" Message="Logon Type:\s+2"
I'm not sure what you're trying to do with the transforms - the Windows TA should parse the logon type field to "Logon_Type".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. That seems to have fixed the issue.
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
