Splunk Universal Forwarder is v6.4.x
Splunk Server is v6.5.x
In C:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\Splunk_TA_windows\\local\\inputs.conf , I have:
[WinEventLog://Security]
disabled = 0
index = wmi
I would normally see about 240 WinEventLog://Security "splunkd.exe" events logged per hour (for weeks).
Suddenly, that number jumped to over 4 million WinEventLog://Security "splunkd.exe" events logged per hour, and my indexing limit was exceeded.
Here's what gets logged:
TIMESTAMP
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=HOSTNAME
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=X
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: XXX
Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe
Network Information:
Direction: Outbound
Source Address: 10.X.X.X
Source Port: XXX
Destination Address: 172.X.X.X
Destination Port: XXX
Protocol: 6
Filter Information:
Filter Run-Time ID: XXX
Layer Name: Connect
Layer Run-Time ID: X
What could have possibly changed in a Windows machine that suddenly makes it log so much WinEventLog:Security "splunkd.exe" events?
I could set disabled=1, but then I'd lose the ability to track who is logging in/out of that machine.
Is there any way to just omit logging these kind of "Audit Success" / "The Windows Filtering Platform has permitted a connection" events?
↧