Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all articles
Browse latest Browse all 47296

The EventCode lookups in the Splunk App for Windows Infrastructure return incorrect values

$
0
0
The Splunk App for Windows Infrastructure has the windows_signatures.csv lookup file: *signature_id,signature,CategoryString,action,result 512,"Windows NT is starting up",,, ...* *1104,"The security Log is now full",,,* And then the lookup itself: *## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" ) LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject* So here's the problem. I have an event coming from SharePoint with event code 1104: *LogName=Application SourceName=Microsoft-SharePoint Products-PerformancePoint Service EventCode=1104* And the lookup matches it - based on it being event code 1104 - to the message "The security Log is now full". That's wrong - and pretty alarming. It looks like the lookup file is just for events from the Security log, yet the lookup is ignoring the log name, so event code 1104 becomes a full security log regardless of the log name (let alone the source name). I'm still new with Splunk, so it's possible that I've effed something up to get this result. Has anyone else noticed this?

Viewing all articles
Browse latest Browse all 47296

Latest Images

Trending Articles



Latest Images

<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>