Not so much a question, but an observation looking for confirmation. If true, looking to spread the word.
Recently our Windows Security event alerts for group changes have been blank. The event log entry corresponding to the change shows "Splunk could not get the description...". After reading many outdated articles with little to no success, and updating as much as I was willing, I discovered the trend. This message only came from domain controllers after a recent Windows Update. I correlated the updates between two servers and eliminated the updates which did not change anything event log related. This is based on the Universal Forwarder using Windows DLLs/APIs to read the event logs. I narrowed it down to 3 candidates and picked the what I felt was the culprit. I uninstalled the update and event details resumed. The update in question is related to KB3146706 and is titled MS16-044: Security update for Windows OLE: April 12, 2016
Has this update messed with anyone else? Or if you have this behavior and are willing to uninstall this update, can you confirm this?
Where else to spread the word, if true?
Also note, this is not a Splunk issue, since I also send logs via an rsyslog agent and its format was messed up.
For the curious, I think the two DLLs in question are Adtschema.dll and Msaudite.dll, but this update changes several files.
If it matters, my Splunk indexer and such are on Linux. The Windows systems use the Universal Forwarder.
↧