Hello Splunk Community,   i monitor the audit.log on RHEL8. As soon as I generate a specific log entry locally, I can find this log entry through my defined search query in Splunk. However, if a few hours pass, I can no longer find it with the same search query. Of course, I adjust the time settings accordingly. First, I search in real-time (last 30 minutes), then I switch to, for example, Today or the last 4 hours. I have noticed that this happens with searches that include "transaction msg maxspan=5m". I want to see all the related transactions. When I have the command transaction msg maxspan=5m in my search, I find all the related transactions in real-time. After a few hours, I no longer get any hits with the same search query. Only when I remove the transaction command from the search do I see the entries again, but then I don't see as much information as before. Nothing changes if i switch to transaction msg maxevent=3. Do I possibly have a wrong configuration of my environment here, or do I need to adjust something? Thanks in advance. Search Query: index="sys_linux" sourcetype="linux_audit" | transaction msg maxspan=5m | search type=SYSCALL (auid>999 OR auid=0) auid!=44444 auid!=4294967295 comm!=updatedb comm!=ls comm!=bash comm!=find comm!=crond comm!=sshd comm!="(systemd)" | rex field=msg "audit\((?P<date>[\d]+)" | convert ctime(date) | sort by date | table date, type, comm, uid, auid, host, name ... View more

Hello all, I need your help in analyzing my collected log data. I have all of our Windows servers connected in Splunk using the Universal Forwarder. This includes the domain controllers as well. Only the security event log is transmitted. I have installed the Splunk Add-on for Microsoft Windows on the Splunk servers (Indexer, Searchead,). I want to know about failed login attempts, account lockouts, as well as tampering with Local Administrator accounts. If I now start a search query for example on Event ID 4625, I get thousandfold messages with field "host" where my domain controllers are inside. At "host" I want to see the really affected system. For example my Splunk query looks like this: index=Wineventlog sourcetype=wineventlog source::WinEventLog:Security (EventCode=4625 OR EventCode=4740) | eval Benutzerkonto = coalesce(Kontoname, Account_Name) | eval Meldung = coalesce(Fehlerursache, Failure_Reason) | eval IP-Quelladresse = coalesce(Source_network_address, Quellnetzwerkadresse) | table _time, ComputerName, Benutzerkonto, Meldung, IP-Quelladresse (I merge german and english logentries). I only want to know when someone tries to log in to the domain controller, locks his account there or hijacks the local admin on the domain controller. I do not want to see log entries of affected systems via the domain controllers. Do you have a solution to the problem or even suggestions for improvement? Thanks in advance. Best regards Codyy_Fast ... View more