We have been running a search that returns results for user and computer account creation. For the past week or so, the search no longer returns results for eventID's that I have verified are in the event log on the domain controller. Events were previously found as recently as 8/21 and are still found if I change the time range to include that data. I am not aware of any system changes since 8/21 that would have caused the null results.
The search we are using is:
EventCode="645" OR EventCode="624" OR EventCode="631" OR EventCode="4720" OR EventCode="4741" OR EventCode="4727" | top src_user user
If I search on other eventID's from the security log in Splunk, they are found without issue but the test user and computer accounts I created today and entries from others that I know have been created in the past few days are not found in the search results.
Any thoughts on what the issue might be?
Seems like a change happened in log configuration to stop logging for those events - check the log config's.
Is the EventCode field extraction working properly? What happens if you just add your test user account to the search criteria and remove all of the EventCode=?
yourtestaccount (645 OR 624 OR 631 OR 4720 OR 4741 OR 4727)
If it returns events, something is wrong with your EventCode field extraction. If it returns no events, something might be misconfigured on the data ingest side.
Thanks for the replies. Apologies, I am new to Splunk and this company as of Monday. Have been researching/training but still pretty green and had not narrowed the scope of the search properly so I was getting some erroneous results. Seems like a relatively simple issue. The data looks like it isn't being forwarded as the only source type listed is Active Directory.
I think it will be as simple as modifying the inputs.conf file to include WinEventLog:Security and plan to check it out in the morning. Have not been configured for our VPN yet so no remote access to work on it until I can get in the office tomorrow but once I can take a look at it, will update this appropriately.