Splunk Search

Search not producing event types

insomniacnerd94
Explorer

Hello. I am trying to get interactive logon logs for all workstations in an organization. The event code for this log is 4624 with the Event Type 2. I am only seeing Event Type 0 in Splunk when I do a search. When I view the logs in Event Viewer on a test workstation I am seeing all the Logon Types. I have been searching a lot for answers and have tried every solution but none of them give me the results I need.

What I have done:
1.) Confirmed that the event log collections for security logs is enabled with the wineventlog index in Data Inputs on the Deployment Server.
2.) I created a whitelist in the local directory of that app for the inputs.conf file with the following format:

[WinEventLog://Security]
disabled = 0
whitelist = EventCode="4624" Message="LogonType=2"

also tried this,

[WinEventLog://Security]
disabled = 0
whitelist = EventCode="4624"

I created a REGEX in the local directory of that app for the transforms.conf file with the following format:

REGEX = (?msi)EventCode=4624.<em>Logon Type:\s</em>(2|10)
0 Karma
1 Solution

wenthold
Communicator

I assume when you refer to "that app", you're referring to the Splunk TA for Windows. Try setting your inputs.conf whitelist to:

whitelist = EventCode="4624" Message="Logon Type:\s+2"

I'm not sure what you're trying to do with the transforms - the Windows TA should parse the logon type field to "Logon_Type".

View solution in original post

wenthold
Communicator

I assume when you refer to "that app", you're referring to the Splunk TA for Windows. Try setting your inputs.conf whitelist to:

whitelist = EventCode="4624" Message="Logon Type:\s+2"

I'm not sure what you're trying to do with the transforms - the Windows TA should parse the logon type field to "Logon_Type".

insomniacnerd94
Explorer

Thank you. That seems to have fixed the issue.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...