All Apps and Add-ons

Splunk App for Windows Infrastructure: Why does Failed Logons by IP Address chart never populate data?

hochit
Path Finder

I found that the "Failed Logons by IP Address" chart in Splunk App for Windows Infrastructure never shows any data. Though "Failed Logons over Time" chart can show there are failed logins.

I tried to drill down a bit more and found essentially because wineventlog did come with "Source_Network_Address" or "Client_Address" Splunk_TA_windows expected.

[Source_Network_Address_as_src_ip]
SOURCE_KEY = Source_Network_Address
REGEX = ([\\]+)?([^-].*)
FORMAT = src_ip::"$2"

[Client_Address_as_src_ip]
SOURCE_KEY = Client_Address
REGEX = ([\\]+)?([^-].*)
FORMAT = src_ip::"$2"

However, I saw another field "src_nt_host" which can show the IPs that I want. I'm thinking to either alias src_nt_host or replace the default transformation above as the same as "src_nt_host". What's the initial idea of this transformation? Is it because of handling for different windows version? My case is windows server 2012(AD)

[Workstation_Name_as_src_nt_host]
SOURCE_KEY = Workstation_Name
REGEX = ([\\]+)?([^-].*)
FORMAT = src_nt_host::"$2"

[Caller_Machine_Name_as_src_nt_host]
SOURCE_KEY = Caller_Machine_Name
REGEX = ([\\]+)?([^-].*)
FORMAT = src_nt_host::"$2"

[Client_Machine_Name_as_src_nt_host]
SOURCE_KEY = Client_Machine_Name
REGEX = ([\\]+)?([^-].*)
FORMAT = src_nt_host::"$2"

[Caller_Computer_Name_as_src_nt_host]
SOURCE_KEY = Caller_Computer_Name
REGEX = ([\\]+)?([^-].*)
FORMAT = src_nt_host::"$2"

[Source_Workstation_as_src_nt_host]
SOURCE_KEY = Source_Workstation
REGEX = ([\\]+)?([^-].*)
FORMAT = src_nt_host::"$2"

cmccririe
Splunk Employee
Splunk Employee

The search that builds the lookup table tHostInfo was disabled in my environment. Enable the scheduled search tHostInfo_Lookup_Update and your dashboard should populate.

0 Karma

papaleo
New Member

My schedule search is enabled, but still doesn't work.
I also remove fix-localhost, because otherwise it doesn't work for me

0 Karma

EdgarAllenProse
Path Finder

It might be a failure on the macro. I just realized I have this issue, so we'll troubleshoot together!

TL;DR, fields are wrong, and lookup mentioned in macro ip-to-host does not exist, update macro for fix-localhost, fix the query (shown below), and remove |ip-to-host from query. That should fix it. Oh and don't forget to change the panels query as well after testing.

Failed Logons Over Time query=

eventtype=msad-failed-user-logons (host="*")
|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type 
|timechart count by signature

Failed Logons by IP query =

eventtype=msad-failed-user-logons (host="*")
|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type 
|`ip-to-host`
|`fix-localhost`
|stats count by src_nt_host,src_ip
|sort -count
|rename src_nt_host as "Workstation",src_ip as "IP Address"

Note the two macros in your failed logon by IP query:

  1. ip-to-host
  2. fix-localhost

Now the searches for each macro:

ip-to-host = join src_ip [|inputlookup tHostInfo | table src_ip,src_host,src_nt_domain]

fix-localhost = 'eval src_host=if(src_ip=="127.0.0.1" OR src_ip=="-",upper(host),src_host)|eval src_host=src_nt_domain."\".src_host '

Now I'm going to say, I see a problem here: index=wineventlog does not have src_ip field; eventtype=msad* uses index=wineventlog.
BUT! There is a field IpAddress that contains IP addresses, and host that contains hostnames where the field src_host does not exist.

So lets tweak these macros:
ip-to-host = join src [|inputlookup tHostInfo | table src,Caller_Domain]
fix-localhost = eval host=if(IpAddress=="127.0.0.1" OR IpAddress=="-",upper(host),host)|eval host= Caller_Domain."\\".host

Still not getting anything, so I search

|eventtype=msad-failed-user-logons (host="*") 
|fields _time,signature,src,host,Caller_Domain,user,Logon_Type 
|`ip-to-host`
|`fix-localhost`
|stats count by host,src
|sort -count
|rename src_nt_host as "Workstation",src as "IP Address"

Note, I've changed the query to represent fields that exist in index=wineventlog.

Still not getting anything! But wait, a lookup is mentioned in the macro ip-to-host, lets see how that is configured!

There is no lookup tHostInfo, so lets remove ip-to-host from the query.

|eventtype=msad-failed-user-logons (host="*") 
|fields _time,signature,src,host,Caller_Domain,user,Logon_Type 
|`fix-localhost`
|stats count by host,src
|sort -count
|rename src_nt_host as "Workstation",src as "IP Address"

YES!!!!!! IT WORKS!

Results:

Workstation IP Address count

DOMAIN<Hostname> 127.0.0.1 2

DOMAIN<Hostname> 10.###.##.### 1

DOMAIN<hostname> 127.0.0.1 1

So change the fields in the macro fix-localhost, as noted in "lets tweak these macros" then remove ip-to-host from the query, while updating the query the panel uses to search.

hochit
Path Finder

More thought...
My raw XML event is like this. I believe src_ip can be extracted from IpAddress

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2016-11-23T09:46:24.500210800Z'/><EventRecordID>373002</EventRecordID><Correlation/><Execution ProcessID='504' ThreadID='3996'/><Channel>Security</Channel><Computer>spunk_forward.splunk0.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>vic.chen</Data><Data Name='TargetDomainName'>TC-NB553</Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc0000064</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>TC-NB553</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>192.168.3.32</Data><Data Name='IpPort'>55425</Data></EventData></Event>

This is what I'm going to add.

props.conf
[source::*:Security]
REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip,IpAddress_as_src_ip

transforms.conf
[IpAddress_as_src_ip]
SOURCE_KEY = IpAddress
REGEX = (.+)
FORMAT = src_ip::$1
0 Karma

lakshman239
SplunkTrust
SplunkTrust

As you know, src_ip has the IP address and src_nt_host captures the host name. In your case, if your src_ip doesn't have the value (i.e. IP address) you need, and if that's present in src_nt_host, you can alias it and it should work.

Alternatively, if you go down the approach of props/transforms (as above), as soon as the first src_ip is obtained, the transform will return. So, if Source_Network_Address_as_src_ip returns a value of src_ip, your IpAddress_as_src_ip may not run or overwrite it. Please check/test it once.

0 Karma

kent_farries
Path Finder

The Failed Logons by IP Address works for us and we are using the Splunk App for Windows Infrastructure V1.4.0, Splunk Enterprise V6.5.1, and Splunk_TA_windows V4.8.3.

The only issue we did notice in general with the application was that under Windows Performance Monitoring the Perfmon Hosts Multiselect was not defined correctly so we fixed it (Token Prefix, Token Suffix, and Token Value Prefix were empty) since we are now able to edit the dashboard with 1.4.0.

Hope that helps.

0 Karma

Richfez
SplunkTrust
SplunkTrust

I don't have the Windows Infra app installed any more, and though I don't know why this isn't working off hand, you are probably heading down the right road for correcting it.

If you need a field called src_ip and you can extract it easily enough, I'd do that. In this case an alias may work just fine since you have it available already. Either method will likely work fine.

So, IMO make the field as you seemed to be doing and do some testing to see if your results make sense.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...