LOGbinder for Splunk Free, No results found.


LOGbinder for Splunk Free, No results found.

i

Brian.K - 3/12/2019
Brian.K - 3/6/2019
bjvista - 3/6/2019
Brian.K - 3/5/2019
bjvista - 3/4/2019
Brian.K - 3/1/2019
Brian.K - 2/27/2019
Brian.K - 2/25/2019
It appears that the required permissions are proper...

I'm also seeing some seeing timely 5136 events forwarded from DC's that show the subscription ADChanges is unsubscribed. 

Can you think of any reason why I am seeing a fair number of 5136 events being forwarded and nothing else? This doesn't seem to be a permission issue.

This is the xml query that the ADChanges filter is using:

<QueryList>
<Query Id="0" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 1100 and EventID &lt;= 1102) or EventID=1104 or EventID=1108 or EventID = 4610 or EventID=4614 or EventID=4622 or EventID=4697 or (EventID &gt;= 4704 and EventID &lt;= 4707) or EventID=4713 or (EventID &gt;= 4716 and EventID &lt;= 4720) or (EventID &gt;= 4725 and EventID &lt;= 4735) )]]</Select>
  <Select Path="Security">*[System[( (EventID &gt;= 4737 and EventID &lt;= 4739) or (EventID &gt;= 4754 and EventID &lt;= 4758) or EventID=4764 or EventID=4794 or EventID=4817 or EventID=4819 or (EventID &gt;= 4865 and EventID &lt;= 4867) or EventID=4906 or EventID=4908 or (EventID &gt;= 4911 and EventID &lt;= 4913) or EventID=6145)]]</Select>
  <Select Path="Security"> (*[System[EventID=5136]] and *[EventData[ Data[@Name='AttributeLDAPDisplayName'] = 'nTSecurityDescriptor' or Data[@Name='AttributeLDAPDisplayName'] = 'gpOptions' or Data[@Name='AttributeLDAPDisplayName'] = 'gpLink' ]]) or (*[System[EventID=5136 or EventID=5137]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=5141]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=4611]] and *[EventData[ Data[@Name='LogonProcessName'] != 'Winlogon' ]]) </Select>
  <Select Path="Security">*[System[EventID=4932]] and *[EventData[Data[@Name='Options'] = '2147483733']]</Select>
</Query>
</QueryList>  

So these are the events you should expect to see. Let's see if we can find where the hang up is.  The first step is do you see these events on the domain controller(s) in the Security Log in event viewer?

If you do, the next step is to see if they are forwarding.  So in Event Viewer on the collector where the the ADChanges log lives, do you see these events being collected?

If so, the next step is to see if the Splunk is consuming and processing the events.
Start with step 1 and let us know what you find.  We need to figure out if this is a WEC issue or Splunk issue.

I'm only getting about 24 hours of logs showing in the Saved Logs > ADChanges location. 700 events most of which are 5136 there are a few 4728 and 4737. Splunk reports still shows No results found

So then we are at step 1.  We need to compare events in the Security Log of the DC to the ADChanges log.  We need to verify:
1. Which events from the above filter are logged on the DC?
2. Are these same events (not just ID's but the exact event) being forwarded?  Are the exact same events located on the DC located on the collectors ADChanges log?

If we can verify this we can move to the next step.

It looks like a fair number of the events are now coming into the Saved Logs > ADChanges.log The times and Logon IDs match.  A search on the splunk search bar also shows the Logon IDs.

I've noticed the domain_controllers.csv file often refreshes but is not populating. What do I need to do to facilitate it population?

That lookup is refreshed using this saved search which is running every 5min :

update_domain_controllers_4932_4768



Please test if this search is returning results for you :

`select_winseclog_events` (EventCode=4932 OR EventCode=4768)


Brian.K

imrago - 3/12/2019
Brian.K - 3/12/2019
Brian.K - 3/6/2019
bjvista - 3/6/2019
Brian.K - 3/5/2019
bjvista - 3/4/2019
Brian.K - 3/1/2019
Brian.K - 2/27/2019
Brian.K - 2/25/2019
It appears that the required permissions are proper...

I'm also seeing some seeing timely 5136 events forwarded from DC's that show the subscription ADChanges is unsubscribed. 

Can you think of any reason why I am seeing a fair number of 5136 events being forwarded and nothing else? This doesn't seem to be a permission issue.

This is the xml query that the ADChanges filter is using:

<QueryList>
<Query Id="0" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 1100 and EventID &lt;= 1102) or EventID=1104 or EventID=1108 or EventID = 4610 or EventID=4614 or EventID=4622 or EventID=4697 or (EventID &gt;= 4704 and EventID &lt;= 4707) or EventID=4713 or (EventID &gt;= 4716 and EventID &lt;= 4720) or (EventID &gt;= 4725 and EventID &lt;= 4735) )]]</Select>
  <Select Path="Security">*[System[( (EventID &gt;= 4737 and EventID &lt;= 4739) or (EventID &gt;= 4754 and EventID &lt;= 4758) or EventID=4764 or EventID=4794 or EventID=4817 or EventID=4819 or (EventID &gt;= 4865 and EventID &lt;= 4867) or EventID=4906 or EventID=4908 or (EventID &gt;= 4911 and EventID &lt;= 4913) or EventID=6145)]]</Select>
  <Select Path="Security"> (*[System[EventID=5136]] and *[EventData[ Data[@Name='AttributeLDAPDisplayName'] = 'nTSecurityDescriptor' or Data[@Name='AttributeLDAPDisplayName'] = 'gpOptions' or Data[@Name='AttributeLDAPDisplayName'] = 'gpLink' ]]) or (*[System[EventID=5136 or EventID=5137]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=5141]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=4611]] and *[EventData[ Data[@Name='LogonProcessName'] != 'Winlogon' ]]) </Select>
  <Select Path="Security">*[System[EventID=4932]] and *[EventData[Data[@Name='Options'] = '2147483733']]</Select>
</Query>
</QueryList>  

So these are the events you should expect to see. Let's see if we can find where the hang up is.  The first step is do you see these events on the domain controller(s) in the Security Log in event viewer?

If you do, the next step is to see if they are forwarding.  So in Event Viewer on the collector where the the ADChanges log lives, do you see these events being collected?

If so, the next step is to see if the Splunk is consuming and processing the events.
Start with step 1 and let us know what you find.  We need to figure out if this is a WEC issue or Splunk issue.

I'm only getting about 24 hours of logs showing in the Saved Logs > ADChanges location. 700 events most of which are 5136 there are a few 4728 and 4737. Splunk reports still shows No results found

So then we are at step 1.  We need to compare events in the Security Log of the DC to the ADChanges log.  We need to verify:
1. Which events from the above filter are logged on the DC?
2. Are these same events (not just ID's but the exact event) being forwarded?  Are the exact same events located on the DC located on the collectors ADChanges log?

If we can verify this we can move to the next step.

It looks like a fair number of the events are now coming into the Saved Logs > ADChanges.log The times and Logon IDs match.  A search on the splunk search bar also shows the Logon IDs.

I've noticed the domain_controllers.csv file often refreshes but is not populating. What do I need to do to facilitate it population?

That lookup is refreshed using this saved search which is running every 5min :

update_domain_controllers_4932_4768



Please test if this search is returning results for you :

`select_winseclog_events` (EventCode=4932 OR EventCode=4768)


It's looking like none of the 4932 events are being forwarded, and there are no 4768s are being generated on the DC.

Brian.K

Brian.K - 3/12/2019
imrago - 3/12/2019
Brian.K - 3/12/2019
Brian.K - 3/6/2019
bjvista - 3/6/2019
Brian.K - 3/5/2019
bjvista - 3/4/2019
Brian.K - 3/1/2019
Brian.K - 2/27/2019
Brian.K - 2/25/2019
It appears that the required permissions are proper...

I'm also seeing some seeing timely 5136 events forwarded from DC's that show the subscription ADChanges is unsubscribed. 

Can you think of any reason why I am seeing a fair number of 5136 events being forwarded and nothing else? This doesn't seem to be a permission issue.

This is the xml query that the ADChanges filter is using:

<QueryList>
<Query Id="0" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 1100 and EventID &lt;= 1102) or EventID=1104 or EventID=1108 or EventID = 4610 or EventID=4614 or EventID=4622 or EventID=4697 or (EventID &gt;= 4704 and EventID &lt;= 4707) or EventID=4713 or (EventID &gt;= 4716 and EventID &lt;= 4720) or (EventID &gt;= 4725 and EventID &lt;= 4735) )]]</Select>
  <Select Path="Security">*[System[( (EventID &gt;= 4737 and EventID &lt;= 4739) or (EventID &gt;= 4754 and EventID &lt;= 4758) or EventID=4764 or EventID=4794 or EventID=4817 or EventID=4819 or (EventID &gt;= 4865 and EventID &lt;= 4867) or EventID=4906 or EventID=4908 or (EventID &gt;= 4911 and EventID &lt;= 4913) or EventID=6145)]]</Select>
  <Select Path="Security"> (*[System[EventID=5136]] and *[EventData[ Data[@Name='AttributeLDAPDisplayName'] = 'nTSecurityDescriptor' or Data[@Name='AttributeLDAPDisplayName'] = 'gpOptions' or Data[@Name='AttributeLDAPDisplayName'] = 'gpLink' ]]) or (*[System[EventID=5136 or EventID=5137]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=5141]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=4611]] and *[EventData[ Data[@Name='LogonProcessName'] != 'Winlogon' ]]) </Select>
  <Select Path="Security">*[System[EventID=4932]] and *[EventData[Data[@Name='Options'] = '2147483733']]</Select>
</Query>
</QueryList>  

So these are the events you should expect to see. Let's see if we can find where the hang up is.  The first step is do you see these events on the domain controller(s) in the Security Log in event viewer?

If you do, the next step is to see if they are forwarding.  So in Event Viewer on the collector where the the ADChanges log lives, do you see these events being collected?

If so, the next step is to see if the Splunk is consuming and processing the events.
Start with step 1 and let us know what you find.  We need to figure out if this is a WEC issue or Splunk issue.

I'm only getting about 24 hours of logs showing in the Saved Logs > ADChanges location. 700 events most of which are 5136 there are a few 4728 and 4737. Splunk reports still shows No results found

So then we are at step 1.  We need to compare events in the Security Log of the DC to the ADChanges log.  We need to verify:
1. Which events from the above filter are logged on the DC?
2. Are these same events (not just ID's but the exact event) being forwarded?  Are the exact same events located on the DC located on the collectors ADChanges log?

If we can verify this we can move to the next step.

It looks like a fair number of the events are now coming into the Saved Logs > ADChanges.log The times and Logon IDs match.  A search on the splunk search bar also shows the Logon IDs.

I've noticed the domain_controllers.csv file often refreshes but is not populating. What do I need to do to facilitate it population?

That lookup is refreshed using this saved search which is running every 5min :

update_domain_controllers_4932_4768



Please test if this search is returning results for you :

`select_winseclog_events` (EventCode=4932 OR EventCode=4768)


It's looking like none of the 4932 events are being forwarded, and there are no 4768s are being generated on the DC.
Digging deeper I'm seeing plenty of 4392 events on my DC, but not with Option: 2147483733. So it should be no surprise nothing is being forwarded. What do I need to do to generate a 4392 event with an Option: 2147483733?

Brian.K

Brian.K - 3/18/2019
Brian.K - 3/12/2019
imrago - 3/12/2019
Brian.K - 3/12/2019
Brian.K - 3/6/2019
bjvista - 3/6/2019
Brian.K - 3/5/2019
bjvista - 3/4/2019
Brian.K - 3/1/2019
Brian.K - 2/27/2019
Brian.K - 2/25/2019
It appears that the required permissions are proper...

I'm also seeing some seeing timely 5136 events forwarded from DC's that show the subscription ADChanges is unsubscribed. 

Can you think of any reason why I am seeing a fair number of 5136 events being forwarded and nothing else? This doesn't seem to be a permission issue.

This is the xml query that the ADChanges filter is using:

<QueryList>
<Query Id="0" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 1100 and EventID &lt;= 1102) or EventID=1104 or EventID=1108 or EventID = 4610 or EventID=4614 or EventID=4622 or EventID=4697 or (EventID &gt;= 4704 and EventID &lt;= 4707) or EventID=4713 or (EventID &gt;= 4716 and EventID &lt;= 4720) or (EventID &gt;= 4725 and EventID &lt;= 4735) )]]</Select>
  <Select Path="Security">*[System[( (EventID &gt;= 4737 and EventID &lt;= 4739) or (EventID &gt;= 4754 and EventID &lt;= 4758) or EventID=4764 or EventID=4794 or EventID=4817 or EventID=4819 or (EventID &gt;= 4865 and EventID &lt;= 4867) or EventID=4906 or EventID=4908 or (EventID &gt;= 4911 and EventID &lt;= 4913) or EventID=6145)]]</Select>
  <Select Path="Security"> (*[System[EventID=5136]] and *[EventData[ Data[@Name='AttributeLDAPDisplayName'] = 'nTSecurityDescriptor' or Data[@Name='AttributeLDAPDisplayName'] = 'gpOptions' or Data[@Name='AttributeLDAPDisplayName'] = 'gpLink' ]]) or (*[System[EventID=5136 or EventID=5137]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=5141]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=4611]] and *[EventData[ Data[@Name='LogonProcessName'] != 'Winlogon' ]]) </Select>
  <Select Path="Security">*[System[EventID=4932]] and *[EventData[Data[@Name='Options'] = '2147483733']]</Select>
</Query>
</QueryList>  

So these are the events you should expect to see. Let's see if we can find where the hang up is.  The first step is do you see these events on the domain controller(s) in the Security Log in event viewer?

If you do, the next step is to see if they are forwarding.  So in Event Viewer on the collector where the the ADChanges log lives, do you see these events being collected?

If so, the next step is to see if the Splunk is consuming and processing the events.
Start with step 1 and let us know what you find.  We need to figure out if this is a WEC issue or Splunk issue.

I'm only getting about 24 hours of logs showing in the Saved Logs > ADChanges location. 700 events most of which are 5136 there are a few 4728 and 4737. Splunk reports still shows No results found

So then we are at step 1.  We need to compare events in the Security Log of the DC to the ADChanges log.  We need to verify:
1. Which events from the above filter are logged on the DC?
2. Are these same events (not just ID's but the exact event) being forwarded?  Are the exact same events located on the DC located on the collectors ADChanges log?

If we can verify this we can move to the next step.

It looks like a fair number of the events are now coming into the Saved Logs > ADChanges.log The times and Logon IDs match.  A search on the splunk search bar also shows the Logon IDs.

I've noticed the domain_controllers.csv file often refreshes but is not populating. What do I need to do to facilitate it population?

That lookup is refreshed using this saved search which is running every 5min :

update_domain_controllers_4932_4768



Please test if this search is returning results for you :

`select_winseclog_events` (EventCode=4932 OR EventCode=4768)


It's looking like none of the 4932 events are being forwarded, and there are no 4768s are being generated on the DC.
Digging deeper I'm seeing plenty of 4392 events on my DC, but not with Option: 2147483733. So it should be no surprise nothing is being forwarded. What do I need to do to generate a 4392 event with an Option: 2147483733?

Will Supercharger 19.1.4.0 work with a domain functional level of 2008 r2? 
I'm still having trouble getting anything to show up in Splunk. 

Tamas Lengyel

Brian.K - 4/1/2019
Brian.K - 3/18/2019
Brian.K - 3/12/2019
imrago - 3/12/2019
Brian.K - 3/12/2019
Brian.K - 3/6/2019
bjvista - 3/6/2019
Brian.K - 3/5/2019
bjvista - 3/4/2019
Brian.K - 3/1/2019
Brian.K - 2/27/2019
Brian.K - 2/25/2019
It appears that the required permissions are proper...

I'm also seeing some seeing timely 5136 events forwarded from DC's that show the subscription ADChanges is unsubscribed. 

Can you think of any reason why I am seeing a fair number of 5136 events being forwarded and nothing else? This doesn't seem to be a permission issue.

This is the xml query that the ADChanges filter is using:

<QueryList>
<Query Id="0" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 1100 and EventID &lt;= 1102) or EventID=1104 or EventID=1108 or EventID = 4610 or EventID=4614 or EventID=4622 or EventID=4697 or (EventID &gt;= 4704 and EventID &lt;= 4707) or EventID=4713 or (EventID &gt;= 4716 and EventID &lt;= 4720) or (EventID &gt;= 4725 and EventID &lt;= 4735) )]]</Select>
  <Select Path="Security">*[System[( (EventID &gt;= 4737 and EventID &lt;= 4739) or (EventID &gt;= 4754 and EventID &lt;= 4758) or EventID=4764 or EventID=4794 or EventID=4817 or EventID=4819 or (EventID &gt;= 4865 and EventID &lt;= 4867) or EventID=4906 or EventID=4908 or (EventID &gt;= 4911 and EventID &lt;= 4913) or EventID=6145)]]</Select>
  <Select Path="Security"> (*[System[EventID=5136]] and *[EventData[ Data[@Name='AttributeLDAPDisplayName'] = 'nTSecurityDescriptor' or Data[@Name='AttributeLDAPDisplayName'] = 'gpOptions' or Data[@Name='AttributeLDAPDisplayName'] = 'gpLink' ]]) or (*[System[EventID=5136 or EventID=5137]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=5141]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=4611]] and *[EventData[ Data[@Name='LogonProcessName'] != 'Winlogon' ]]) </Select>
  <Select Path="Security">*[System[EventID=4932]] and *[EventData[Data[@Name='Options'] = '2147483733']]</Select>
</Query>
</QueryList>  

So these are the events you should expect to see. Let's see if we can find where the hang up is.  The first step is do you see these events on the domain controller(s) in the Security Log in event viewer?

If you do, the next step is to see if they are forwarding.  So in Event Viewer on the collector where the the ADChanges log lives, do you see these events being collected?

If so, the next step is to see if the Splunk is consuming and processing the events.
Start with step 1 and let us know what you find.  We need to figure out if this is a WEC issue or Splunk issue.

I'm only getting about 24 hours of logs showing in the Saved Logs > ADChanges location. 700 events most of which are 5136 there are a few 4728 and 4737. Splunk reports still shows No results found

So then we are at step 1.  We need to compare events in the Security Log of the DC to the ADChanges log.  We need to verify:
1. Which events from the above filter are logged on the DC?
2. Are these same events (not just ID's but the exact event) being forwarded?  Are the exact same events located on the DC located on the collectors ADChanges log?

If we can verify this we can move to the next step.

It looks like a fair number of the events are now coming into the Saved Logs > ADChanges.log The times and Logon IDs match.  A search on the splunk search bar also shows the Logon IDs.

I've noticed the domain_controllers.csv file often refreshes but is not populating. What do I need to do to facilitate it population?

That lookup is refreshed using this saved search which is running every 5min :

update_domain_controllers_4932_4768



Please test if this search is returning results for you :

`select_winseclog_events` (EventCode=4932 OR EventCode=4768)


It's looking like none of the 4932 events are being forwarded, and there are no 4768s are being generated on the DC.
Digging deeper I'm seeing plenty of 4392 events on my DC, but not with Option: 2147483733. So it should be no surprise nothing is being forwarded. What do I need to do to generate a 4392 event with an Option: 2147483733?

Will Supercharger 19.1.4.0 work with a domain functional level of 2008 r2? 
I'm still having trouble getting anything to show up in Splunk. 

Please see Supercharger server requirements at https://www.logbinder.com/Products/Supercharger/

Brian.K

Tamas Lengyel - 4/11/2019
Brian.K - 4/1/2019
Brian.K - 3/18/2019
Brian.K - 3/12/2019
imrago - 3/12/2019
Brian.K - 3/12/2019
Brian.K - 3/6/2019
bjvista - 3/6/2019
Brian.K - 3/5/2019
bjvista - 3/4/2019
Brian.K - 3/1/2019
Brian.K - 2/27/2019
Brian.K - 2/25/2019
It appears that the required permissions are proper...

I'm also seeing some seeing timely 5136 events forwarded from DC's that show the subscription ADChanges is unsubscribed. 

Can you think of any reason why I am seeing a fair number of 5136 events being forwarded and nothing else? This doesn't seem to be a permission issue.

This is the xml query that the ADChanges filter is using:

<QueryList>
<Query Id="0" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 1100 and EventID &lt;= 1102) or EventID=1104 or EventID=1108 or EventID = 4610 or EventID=4614 or EventID=4622 or EventID=4697 or (EventID &gt;= 4704 and EventID &lt;= 4707) or EventID=4713 or (EventID &gt;= 4716 and EventID &lt;= 4720) or (EventID &gt;= 4725 and EventID &lt;= 4735) )]]</Select>
  <Select Path="Security">*[System[( (EventID &gt;= 4737 and EventID &lt;= 4739) or (EventID &gt;= 4754 and EventID &lt;= 4758) or EventID=4764 or EventID=4794 or EventID=4817 or EventID=4819 or (EventID &gt;= 4865 and EventID &lt;= 4867) or EventID=4906 or EventID=4908 or (EventID &gt;= 4911 and EventID &lt;= 4913) or EventID=6145)]]</Select>
  <Select Path="Security"> (*[System[EventID=5136]] and *[EventData[ Data[@Name='AttributeLDAPDisplayName'] = 'nTSecurityDescriptor' or Data[@Name='AttributeLDAPDisplayName'] = 'gpOptions' or Data[@Name='AttributeLDAPDisplayName'] = 'gpLink' ]]) or (*[System[EventID=5136 or EventID=5137]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=5141]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=4611]] and *[EventData[ Data[@Name='LogonProcessName'] != 'Winlogon' ]]) </Select>
  <Select Path="Security">*[System[EventID=4932]] and *[EventData[Data[@Name='Options'] = '2147483733']]</Select>
</Query>
</QueryList>  

So these are the events you should expect to see. Let's see if we can find where the hang up is.  The first step is do you see these events on the domain controller(s) in the Security Log in event viewer?

If you do, the next step is to see if they are forwarding.  So in Event Viewer on the collector where the the ADChanges log lives, do you see these events being collected?

If so, the next step is to see if the Splunk is consuming and processing the events.
Start with step 1 and let us know what you find.  We need to figure out if this is a WEC issue or Splunk issue.

I'm only getting about 24 hours of logs showing in the Saved Logs > ADChanges location. 700 events most of which are 5136 there are a few 4728 and 4737. Splunk reports still shows No results found

So then we are at step 1.  We need to compare events in the Security Log of the DC to the ADChanges log.  We need to verify:
1. Which events from the above filter are logged on the DC?
2. Are these same events (not just ID's but the exact event) being forwarded?  Are the exact same events located on the DC located on the collectors ADChanges log?

If we can verify this we can move to the next step.

It looks like a fair number of the events are now coming into the Saved Logs > ADChanges.log The times and Logon IDs match.  A search on the splunk search bar also shows the Logon IDs.

I've noticed the domain_controllers.csv file often refreshes but is not populating. What do I need to do to facilitate it population?

That lookup is refreshed using this saved search which is running every 5min :

update_domain_controllers_4932_4768



Please test if this search is returning results for you :

`select_winseclog_events` (EventCode=4932 OR EventCode=4768)


It's looking like none of the 4932 events are being forwarded, and there are no 4768s are being generated on the DC.
Digging deeper I'm seeing plenty of 4392 events on my DC, but not with Option: 2147483733. So it should be no surprise nothing is being forwarded. What do I need to do to generate a 4392 event with an Option: 2147483733?

Will Supercharger 19.1.4.0 work with a domain functional level of 2008 r2? 
I'm still having trouble getting anything to show up in Splunk. 

Please see Supercharger server requirements at https://www.logbinder.com/Products/Supercharger/

Thank you for the link.  But I cannot find any mention of what "Domain Functional Level" is required on the site.  Are we to assume it will work under ANY functional level?

What do I need to do to generate a 4392 event with an Option: 2147483733?

Tamas Lengyel

Brian.K - 4/11/2019
Tamas Lengyel - 4/11/2019
Brian.K - 4/1/2019
Brian.K - 3/18/2019
Brian.K - 3/12/2019
imrago - 3/12/2019
Brian.K - 3/12/2019
Brian.K - 3/6/2019
bjvista - 3/6/2019
Brian.K - 3/5/2019
bjvista - 3/4/2019
Brian.K - 3/1/2019
Brian.K - 2/27/2019
Brian.K - 2/25/2019
It appears that the required permissions are proper...

I'm also seeing some seeing timely 5136 events forwarded from DC's that show the subscription ADChanges is unsubscribed. 

Can you think of any reason why I am seeing a fair number of 5136 events being forwarded and nothing else? This doesn't seem to be a permission issue.

This is the xml query that the ADChanges filter is using:

<QueryList>
<Query Id="0" Path="Security">
  <Select Path="Security">*[System[( (EventID &gt;= 1100 and EventID &lt;= 1102) or EventID=1104 or EventID=1108 or EventID = 4610 or EventID=4614 or EventID=4622 or EventID=4697 or (EventID &gt;= 4704 and EventID &lt;= 4707) or EventID=4713 or (EventID &gt;= 4716 and EventID &lt;= 4720) or (EventID &gt;= 4725 and EventID &lt;= 4735) )]]</Select>
  <Select Path="Security">*[System[( (EventID &gt;= 4737 and EventID &lt;= 4739) or (EventID &gt;= 4754 and EventID &lt;= 4758) or EventID=4764 or EventID=4794 or EventID=4817 or EventID=4819 or (EventID &gt;= 4865 and EventID &lt;= 4867) or EventID=4906 or EventID=4908 or (EventID &gt;= 4911 and EventID &lt;= 4913) or EventID=6145)]]</Select>
  <Select Path="Security"> (*[System[EventID=5136]] and *[EventData[ Data[@Name='AttributeLDAPDisplayName'] = 'nTSecurityDescriptor' or Data[@Name='AttributeLDAPDisplayName'] = 'gpOptions' or Data[@Name='AttributeLDAPDisplayName'] = 'gpLink' ]]) or (*[System[EventID=5136 or EventID=5137]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=5141]] and *[EventData[ Data[@Name='ObjectClass'] = 'groupPolicyContainer' ]]) or (*[System[EventID=4611]] and *[EventData[ Data[@Name='LogonProcessName'] != 'Winlogon' ]]) </Select>
  <Select Path="Security">*[System[EventID=4932]] and *[EventData[Data[@Name='Options'] = '2147483733']]</Select>
</Query>
</QueryList>  

So these are the events you should expect to see. Let's see if we can find where the hang up is.  The first step is do you see these events on the domain controller(s) in the Security Log in event viewer?

If you do, the next step is to see if they are forwarding.  So in Event Viewer on the collector where the the ADChanges log lives, do you see these events being collected?

If so, the next step is to see if the Splunk is consuming and processing the events.
Start with step 1 and let us know what you find.  We need to figure out if this is a WEC issue or Splunk issue.

I'm only getting about 24 hours of logs showing in the Saved Logs > ADChanges location. 700 events most of which are 5136 there are a few 4728 and 4737. Splunk reports still shows No results found

So then we are at step 1.  We need to compare events in the Security Log of the DC to the ADChanges log.  We need to verify:
1. Which events from the above filter are logged on the DC?
2. Are these same events (not just ID's but the exact event) being forwarded?  Are the exact same events located on the DC located on the collectors ADChanges log?

If we can verify this we can move to the next step.

It looks like a fair number of the events are now coming into the Saved Logs > ADChanges.log The times and Logon IDs match.  A search on the splunk search bar also shows the Logon IDs.

I've noticed the domain_controllers.csv file often refreshes but is not populating. What do I need to do to facilitate it population?

That lookup is refreshed using this saved search which is running every 5min :

update_domain_controllers_4932_4768



Please test if this search is returning results for you :

`select_winseclog_events` (EventCode=4932 OR EventCode=4768)


It's looking like none of the 4932 events are being forwarded, and there are no 4768s are being generated on the DC.
Digging deeper I'm seeing plenty of 4392 events on my DC, but not with Option: 2147483733. So it should be no surprise nothing is being forwarded. What do I need to do to generate a 4392 event with an Option: 2147483733?

Will Supercharger 19.1.4.0 work with a domain functional level of 2008 r2? 
I'm still having trouble getting anything to show up in Splunk. 

Please see Supercharger server requirements at https://www.logbinder.com/Products/Supercharger/

Thank you for the link.  But I cannot find any mention of what "Domain Functional Level" is required on the site.  Are we to assume it will work under ANY functional level?

What do I need to do to generate a 4392 event with an Option: 2147483733?

I am not aware of any domain functional level requirement.

GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search