The Splunk App for Windows Infrastructure has the windows_signatures.csv lookup file:
signature_id,signature,CategoryString,action,result
512,"Windows NT is starting up",,,
...
1104,"The security Log is now full",,,
And then the lookup itself:
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
So here's the problem. I have an event coming from SharePoint with event code 1104:
LogName=Application
SourceName=Microsoft-SharePoint Products-PerformancePoint Service
EventCode=1104
And the lookup matches it - based on it being event code 1104 - to the message "The security Log is now full".
That's wrong - and pretty alarming. It looks like the lookup file is just for events from the Security log, yet the lookup is ignoring the log name, so event code 1104 becomes a full security log regardless of the log name (let alone the source name).
I'm still new with Splunk, so it's possible that I've effed something up to get this result. Has anyone else noticed this?
... View more