LOGbinder for Splunk Free, No results found.


LOGbinder for Splunk Free, No results found.

Brian.K

Brian.K - 2/22/2019
Brian.K - 2/22/2019
imrago - 2/22/2019
Brian.K - 2/22/2019
imrago - 2/22/2019
Brian.K - 2/22/2019
imrago - 2/22/2019
Brian.K - 2/21/2019
imrago - 2/21/2019
Brian.K - 2/21/2019

Followed the directions as per "8. Install Supercharger with Splunk Free and the Splunk App for LOGbinder"
Splunk version: 7.2.4 Build: 8a94541dcfac using logbinder_1.1.12.spl on windows 2012r2
index=main and there are over 500 events that can be viewed from the Splunk search panel.

All panels under the Active Directory Changes shows their heading but contains No results found.
 


Is the sourcetype of those events "WinEventLog:Security" ?

I Believe so,



Great, next thing to check if those are events from a DC, please run this search :

| inputlookup domain_controllers

In the AD changes dashboards only the events originating from DC are considered.
I can't seem to get any results with that query, although only my DCs are currently forwarding events.
Yesterday I added the DCs to the domain_controllers.csv file. Still so change.


The inputlookup should start with this character : "|" 
Please run this search to see if splunk can access it and if it is correctly populated:

| inputlookup domain_controllers

That lookup file is updated every 5 min using a saved search.





No results.

Understood, that lookup file is being populated based on a search like this :

`select_winseclog_events` (EventCode=4932 OR EventCode=4768)

Are there events with those EventCodes present? Is this search returning results?

No, I don't see any in the Supercharger-Destination-ADChanges%4Log either. Let me verify the GPO again to make sure we're collecting properly.  I'm seeing plenty of 5136 and some 111, 4611, 4728, 4737 Event IDs. Could there be an issue with the subscription?

I've confirmed the GPO settings. Now most of the DC are unsubscribed, yet SuperCharger is still green after not forwarding a single event log in more than 18 hours.

I've double and triple checked all my settings and I'm still seeing this on my DCs. So there's no wonder why I'm not seeing many events.

Brian.K

It appears that the required permissions are proper...

Brian.K

Brian.K - 2/25/2019
It appears that the required permissions are proper...

I'm also seeing some seeing timely 5136 events forwarded from DC's that show the subscription ADChanges is unsubscribed. 

Brian.K

Brian.K - 2/27/2019
Brian.K - 2/25/2019
It appears that the required permissions are proper...

I'm also seeing some seeing timely 5136 events forwarded from DC's that show the subscription ADChanges is unsubscribed. 

Can you think of any reason why I am seeing a fair number of 5136 events being forwarded and nothing else? This doesn't seem to be a permission issue.

bjvista

Brian

Let me review our lab setup for the ADChanges subscription and see if I can have an answer for you ASAP.
bjvista

Brian.K - 3/1/2019
Brian.K - 2/27/2019
Brian.K - 2/25/2019
It appears that the required permissions are proper...

I'm also seeing some seeing timely 5136 events forwarded from DC's that show the subscription ADChanges is unsubscribed. 

Can you think of any reason why I am seeing a fair number of 5136 events being forwarded and nothing else? This doesn't seem to be a permission issue.

This is the xml query that the ADChanges filter is using:

<QueryList>
<Query Id="0" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 1100 and EventID &lt;= 1102) or EventID=1104 or EventID=1108 or EventID = 4610 or EventID=4614 or EventID=4622 or EventID=4697 or (EventID &gt;= 4704 and EventID &lt;= 4707) or EventID=4713 or (EventID &gt;= 4716 and EventID &lt;= 4720) or (EventID &gt;= 4725 and EventID &lt;= 4735) )]]</Select>
  <Select Path="Security">*[System[( (EventID &gt;= 4737 and EventID &lt;= 4739) or (EventID &gt;= 4754 and EventID &lt;= 4758) or EventID=4764 or EventID=4794 or EventID=4817 or EventID=4819 or (EventID &gt;= 4865 and EventID &lt;= 4867) or EventID=4906 or EventID=4908 or (EventID &gt;= 4911 and EventID &lt;= 4913) or EventID=6145)]]</Select>
  <Select Path="Security"> (*[System[EventID=5136]] and *[EventData[ Data[@Name='AttributeLDAPDisplayName'] = 'nTSecurityDescriptor' or Data[@Name='AttributeLDAPDisplayName'] = 'gpOptions' or Data[@Name='AttributeLDAPDisplayName'] = 'gpLink' ]]) or (*[System[EventID=5136 or EventID=5137]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=5141]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=4611]] and *[EventData[ Data[@Name='LogonProcessName'] != 'Winlogon' ]]) </Select>
  <Select Path="Security">*[System[EventID=4932]] and *[EventData[Data[@Name='Options'] = '2147483733']]</Select>
</Query>
</QueryList>  

So these are the events you should expect to see. Let's see if we can find where the hang up is.  The first step is do you see these events on the domain controller(s) in the Security Log in event viewer?

If you do, the next step is to see if they are forwarding.  So in Event Viewer on the collector where the the ADChanges log lives, do you see these events being collected?

If so, the next step is to see if the Splunk is consuming and processing the events.
Start with step 1 and let us know what you find.  We need to figure out if this is a WEC issue or Splunk issue.
Brian.K

bjvista - 3/4/2019
Brian.K - 3/1/2019
Brian.K - 2/27/2019
Brian.K - 2/25/2019
It appears that the required permissions are proper...

I'm also seeing some seeing timely 5136 events forwarded from DC's that show the subscription ADChanges is unsubscribed. 

Can you think of any reason why I am seeing a fair number of 5136 events being forwarded and nothing else? This doesn't seem to be a permission issue.

This is the xml query that the ADChanges filter is using:

<QueryList>
<Query Id="0" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 1100 and EventID &lt;= 1102) or EventID=1104 or EventID=1108 or EventID = 4610 or EventID=4614 or EventID=4622 or EventID=4697 or (EventID &gt;= 4704 and EventID &lt;= 4707) or EventID=4713 or (EventID &gt;= 4716 and EventID &lt;= 4720) or (EventID &gt;= 4725 and EventID &lt;= 4735) )]]</Select>
  <Select Path="Security">*[System[( (EventID &gt;= 4737 and EventID &lt;= 4739) or (EventID &gt;= 4754 and EventID &lt;= 4758) or EventID=4764 or EventID=4794 or EventID=4817 or EventID=4819 or (EventID &gt;= 4865 and EventID &lt;= 4867) or EventID=4906 or EventID=4908 or (EventID &gt;= 4911 and EventID &lt;= 4913) or EventID=6145)]]</Select>
  <Select Path="Security"> (*[System[EventID=5136]] and *[EventData[ Data[@Name='AttributeLDAPDisplayName'] = 'nTSecurityDescriptor' or Data[@Name='AttributeLDAPDisplayName'] = 'gpOptions' or Data[@Name='AttributeLDAPDisplayName'] = 'gpLink' ]]) or (*[System[EventID=5136 or EventID=5137]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=5141]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=4611]] and *[EventData[ Data[@Name='LogonProcessName'] != 'Winlogon' ]]) </Select>
  <Select Path="Security">*[System[EventID=4932]] and *[EventData[Data[@Name='Options'] = '2147483733']]</Select>
</Query>
</QueryList>  

So these are the events you should expect to see. Let's see if we can find where the hang up is.  The first step is do you see these events on the domain controller(s) in the Security Log in event viewer?

If you do, the next step is to see if they are forwarding.  So in Event Viewer on the collector where the the ADChanges log lives, do you see these events being collected?

If so, the next step is to see if the Splunk is consuming and processing the events.
Start with step 1 and let us know what you find.  We need to figure out if this is a WEC issue or Splunk issue.

I'm only getting about 24 hours of logs showing in the Saved Logs > ADChanges location. 700 events most of which are 5136 there are a few 4728 and 4737. Splunk reports still shows No results found

bjvista

Brian.K - 3/5/2019
bjvista - 3/4/2019
Brian.K - 3/1/2019
Brian.K - 2/27/2019
Brian.K - 2/25/2019
It appears that the required permissions are proper...

I'm also seeing some seeing timely 5136 events forwarded from DC's that show the subscription ADChanges is unsubscribed. 

Can you think of any reason why I am seeing a fair number of 5136 events being forwarded and nothing else? This doesn't seem to be a permission issue.

This is the xml query that the ADChanges filter is using:

<QueryList>
<Query Id="0" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 1100 and EventID &lt;= 1102) or EventID=1104 or EventID=1108 or EventID = 4610 or EventID=4614 or EventID=4622 or EventID=4697 or (EventID &gt;= 4704 and EventID &lt;= 4707) or EventID=4713 or (EventID &gt;= 4716 and EventID &lt;= 4720) or (EventID &gt;= 4725 and EventID &lt;= 4735) )]]</Select>
  <Select Path="Security">*[System[( (EventID &gt;= 4737 and EventID &lt;= 4739) or (EventID &gt;= 4754 and EventID &lt;= 4758) or EventID=4764 or EventID=4794 or EventID=4817 or EventID=4819 or (EventID &gt;= 4865 and EventID &lt;= 4867) or EventID=4906 or EventID=4908 or (EventID &gt;= 4911 and EventID &lt;= 4913) or EventID=6145)]]</Select>
  <Select Path="Security"> (*[System[EventID=5136]] and *[EventData[ Data[@Name='AttributeLDAPDisplayName'] = 'nTSecurityDescriptor' or Data[@Name='AttributeLDAPDisplayName'] = 'gpOptions' or Data[@Name='AttributeLDAPDisplayName'] = 'gpLink' ]]) or (*[System[EventID=5136 or EventID=5137]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=5141]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=4611]] and *[EventData[ Data[@Name='LogonProcessName'] != 'Winlogon' ]]) </Select>
  <Select Path="Security">*[System[EventID=4932]] and *[EventData[Data[@Name='Options'] = '2147483733']]</Select>
</Query>
</QueryList>  

So these are the events you should expect to see. Let's see if we can find where the hang up is.  The first step is do you see these events on the domain controller(s) in the Security Log in event viewer?

If you do, the next step is to see if they are forwarding.  So in Event Viewer on the collector where the the ADChanges log lives, do you see these events being collected?

If so, the next step is to see if the Splunk is consuming and processing the events.
Start with step 1 and let us know what you find.  We need to figure out if this is a WEC issue or Splunk issue.

I'm only getting about 24 hours of logs showing in the Saved Logs > ADChanges location. 700 events most of which are 5136 there are a few 4728 and 4737. Splunk reports still shows No results found

So then we are at step 1.  We need to compare events in the Security Log of the DC to the ADChanges log.  We need to verify:
1. Which events from the above filter are logged on the DC?
2. Are these same events (not just ID's but the exact event) being forwarded?  Are the exact same events located on the DC located on the collectors ADChanges log?

If we can verify this we can move to the next step.
Brian.K

bjvista - 3/6/2019
Brian.K - 3/5/2019
bjvista - 3/4/2019
Brian.K - 3/1/2019
Brian.K - 2/27/2019
Brian.K - 2/25/2019
It appears that the required permissions are proper...

I'm also seeing some seeing timely 5136 events forwarded from DC's that show the subscription ADChanges is unsubscribed. 

Can you think of any reason why I am seeing a fair number of 5136 events being forwarded and nothing else? This doesn't seem to be a permission issue.

This is the xml query that the ADChanges filter is using:

<QueryList>
<Query Id="0" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 1100 and EventID &lt;= 1102) or EventID=1104 or EventID=1108 or EventID = 4610 or EventID=4614 or EventID=4622 or EventID=4697 or (EventID &gt;= 4704 and EventID &lt;= 4707) or EventID=4713 or (EventID &gt;= 4716 and EventID &lt;= 4720) or (EventID &gt;= 4725 and EventID &lt;= 4735) )]]</Select>
  <Select Path="Security">*[System[( (EventID &gt;= 4737 and EventID &lt;= 4739) or (EventID &gt;= 4754 and EventID &lt;= 4758) or EventID=4764 or EventID=4794 or EventID=4817 or EventID=4819 or (EventID &gt;= 4865 and EventID &lt;= 4867) or EventID=4906 or EventID=4908 or (EventID &gt;= 4911 and EventID &lt;= 4913) or EventID=6145)]]</Select>
  <Select Path="Security"> (*[System[EventID=5136]] and *[EventData[ Data[@Name='AttributeLDAPDisplayName'] = 'nTSecurityDescriptor' or Data[@Name='AttributeLDAPDisplayName'] = 'gpOptions' or Data[@Name='AttributeLDAPDisplayName'] = 'gpLink' ]]) or (*[System[EventID=5136 or EventID=5137]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=5141]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=4611]] and *[EventData[ Data[@Name='LogonProcessName'] != 'Winlogon' ]]) </Select>
  <Select Path="Security">*[System[EventID=4932]] and *[EventData[Data[@Name='Options'] = '2147483733']]</Select>
</Query>
</QueryList>  

So these are the events you should expect to see. Let's see if we can find where the hang up is.  The first step is do you see these events on the domain controller(s) in the Security Log in event viewer?

If you do, the next step is to see if they are forwarding.  So in Event Viewer on the collector where the the ADChanges log lives, do you see these events being collected?

If so, the next step is to see if the Splunk is consuming and processing the events.
Start with step 1 and let us know what you find.  We need to figure out if this is a WEC issue or Splunk issue.

I'm only getting about 24 hours of logs showing in the Saved Logs > ADChanges location. 700 events most of which are 5136 there are a few 4728 and 4737. Splunk reports still shows No results found

So then we are at step 1.  We need to compare events in the Security Log of the DC to the ADChanges log.  We need to verify:
1. Which events from the above filter are logged on the DC?
2. Are these same events (not just ID's but the exact event) being forwarded?  Are the exact same events located on the DC located on the collectors ADChanges log?

If we can verify this we can move to the next step.

It looks like a fair number of the events are now coming into the Saved Logs > ADChanges.log The times and Logon IDs match.  A search on the splunk search bar also shows the Logon IDs.

Brian.K

Brian.K - 3/6/2019
bjvista - 3/6/2019
Brian.K - 3/5/2019
bjvista - 3/4/2019
Brian.K - 3/1/2019
Brian.K - 2/27/2019
Brian.K - 2/25/2019
It appears that the required permissions are proper...

I'm also seeing some seeing timely 5136 events forwarded from DC's that show the subscription ADChanges is unsubscribed. 

Can you think of any reason why I am seeing a fair number of 5136 events being forwarded and nothing else? This doesn't seem to be a permission issue.

This is the xml query that the ADChanges filter is using:

<QueryList>
<Query Id="0" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 1100 and EventID &lt;= 1102) or EventID=1104 or EventID=1108 or EventID = 4610 or EventID=4614 or EventID=4622 or EventID=4697 or (EventID &gt;= 4704 and EventID &lt;= 4707) or EventID=4713 or (EventID &gt;= 4716 and EventID &lt;= 4720) or (EventID &gt;= 4725 and EventID &lt;= 4735) )]]</Select>
  <Select Path="Security">*[System[( (EventID &gt;= 4737 and EventID &lt;= 4739) or (EventID &gt;= 4754 and EventID &lt;= 4758) or EventID=4764 or EventID=4794 or EventID=4817 or EventID=4819 or (EventID &gt;= 4865 and EventID &lt;= 4867) or EventID=4906 or EventID=4908 or (EventID &gt;= 4911 and EventID &lt;= 4913) or EventID=6145)]]</Select>
  <Select Path="Security"> (*[System[EventID=5136]] and *[EventData[ Data[@Name='AttributeLDAPDisplayName'] = 'nTSecurityDescriptor' or Data[@Name='AttributeLDAPDisplayName'] = 'gpOptions' or Data[@Name='AttributeLDAPDisplayName'] = 'gpLink' ]]) or (*[System[EventID=5136 or EventID=5137]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=5141]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=4611]] and *[EventData[ Data[@Name='LogonProcessName'] != 'Winlogon' ]]) </Select>
  <Select Path="Security">*[System[EventID=4932]] and *[EventData[Data[@Name='Options'] = '2147483733']]</Select>
</Query>
</QueryList>  

So these are the events you should expect to see. Let's see if we can find where the hang up is.  The first step is do you see these events on the domain controller(s) in the Security Log in event viewer?

If you do, the next step is to see if they are forwarding.  So in Event Viewer on the collector where the the ADChanges log lives, do you see these events being collected?

If so, the next step is to see if the Splunk is consuming and processing the events.
Start with step 1 and let us know what you find.  We need to figure out if this is a WEC issue or Splunk issue.

I'm only getting about 24 hours of logs showing in the Saved Logs > ADChanges location. 700 events most of which are 5136 there are a few 4728 and 4737. Splunk reports still shows No results found

So then we are at step 1.  We need to compare events in the Security Log of the DC to the ADChanges log.  We need to verify:
1. Which events from the above filter are logged on the DC?
2. Are these same events (not just ID's but the exact event) being forwarded?  Are the exact same events located on the DC located on the collectors ADChanges log?

If we can verify this we can move to the next step.

It looks like a fair number of the events are now coming into the Saved Logs > ADChanges.log The times and Logon IDs match.  A search on the splunk search bar also shows the Logon IDs.

I've noticed the domain_controllers.csv file often refreshes but is not populating. What do I need to do to facilitate it population?

GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search