Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can we find the missing events in splunk

AL3Z
Builder
‎01-08-2024 12:16 AM

Hi,

Splunk hasn't captured the 4743 events, indicating computer account deletions that occurred yesterday at 2 pm. Where should we investigate to determine the root cause?


Thanks

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎01-08-2024 03:48 AM

Hi @AL3Z 

As seen on previous reply, to troubleshoot this issue, lot more details are required from your side. 

Any changes recently done on those DC systems inputs.conf / apps / addons  etc

Lets say you were expecting the 4743 at 5pm yesterday. Pls check if you have events around that time from that particular windows box (search for 4pm to 6pm events from that windows box)

 

As said in other posts, the good questions will receive good answers. the more details you provide, the more better answers/suggestions we can help you with. Thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

AL3Z
Builder
‎01-11-2024 08:30 AM


Hello,

Today, we made modifications to Domain Admin groups, for which we had previously enabled Notables. The issue is that I haven't received any alerts related to it, and the events have not been collected in Splunk yet.

Here is the services snapshot for the Universal Forwarder from that domain controller:


unnamed.png

Do we need to make any changes pls let me know 

Thanks

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-11-2024 01:21 PM

OK. So modifications to Domain Admins group is reflected with different events that 4743. So you seem to have a different problem than just losing one particular eventid.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-08-2024 01:10 AM

There are several possible causes for that. Starting from wrong permissions on the source side (we don't even know if these are the only events that are not ingested or if you're ingesting any events from the Security journal at all), through input black/whitelisting, to active filtering on HFs/indexers.

Don't get me wrong, but from this thread and other similar ones it looks as if your employer bought Splunk license but didn't invest in either trainings for the staff or maintenance services from your friendly local Splunk partner. And you seem to need it.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-08-2024 01:04 AM

Hi @AL3Z,

you should run a searh like the following:

index=your_index EventCode=4743

if you haven't results, you have to perform two checks:

at first on the Splunk_TA Windows that you're using to ingest logs, to see if this EventCode is ingested or not. maybe there's a white list or a blacklist the filters this EventCode.

if there isn't any filter, see in your Domain Controller if this EventCode is loged on Windows: not al events are logged by default, about this, I cannot help you: you need a Windows specialist.

Ciao.

Giuseppe

0 Karma
Reply

AL3Z
Builder
‎01-08-2024 01:19 AM

@gcusello ,

we're ingesting logs with these event code, but occasionally, we're not receiving all the logs from the DCs into Splunk.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-08-2024 02:58 AM

OK. So you have a different problem.

Are you missing any other events?

Are you having connection problems?

Are you getting any errors in _internal?

Are you hitting thruput limits?

Do you ingest all events from the beginning or just current ones?

 

0 Karma
Reply

AL3Z
Builder
‎01-08-2024 03:23 AM

@PickleRick ,

Are you missing any other events? 
Nope only 4743

Are you having connection problems? 
I dnt think so / How to check

Are you getting any errors in _internal?  
How to check ?

Are you hitting thruput limits?   
yes

Do you ingest all events from the beginning or just current ones? 
Yes we are ingesting all events from beginning.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-08-2024 01:22 AM

Hi @AL3Z ,

are you saying the usualy events with this EventCode are ingested, but sometimes you lose events?

In this case, analyze if there was some downtime of the Forwarder or of the connection, starting from the period where you're sure that you loosed some events.

If you're sure that there wasn't any downtime, open a case to Splunk Support.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...