![splunk search for windows event id splunk search for windows event id](https://static.packt-cdn.com/products/9781789531091/graphics/26e23ec1-0d44-4ace-b505-086847724664.png)
#Splunk search for windows event id code
If the credentials were successfully validated, the authenticating computer logs this event ID with the Result Code field equal to “0x0”. Authentication Success - Event ID 4776 (S) This event is also logged for logon attempts to the local SAM account in workstations and Windows servers, as NTLM is the default authentication mechanism for local logon. These two changes can make your windows event log gathering more efficient, but as always – be careful of what you throw away.Event ID 4776 is logged whenever a domain controller (DC) attempts to validate the credentials of an account using NTLM over Kerberos. In particular, do not set the suppress_text parameter on WinEventLog:Security as it will not log any of the important contextual information within the security log. Since all the stanzas of the same name are munged together, you should be careful about setting the suppress_text parameter. However, you will still need to use the same transform as before if you want some of the message but not all – for example, with the Security log. This is fine for some logs (usually custom service logs) where the message is not important. You will note that is NO message text at all. Now when you get those events, this is what they look like: 08:43:07 AM
![splunk search for windows event id splunk search for windows event id](http://1.bp.blogspot.com/-cmJoJ3L2EYE/UaxpVaT01OI/AAAAAAAAXEY/hfdOBEpV_5k/s1600/screen9.png)
![splunk search for windows event id splunk search for windows event id](https://i0.wp.com/hurricanelabs.com/wp-content/uploads/2020/08/eventlog-image-3.png)
In Splunk 6, you can add a new parameter to your nf stanza to supress the Message field: Every single security event has similar explanatory text. Since these events get generated every 10-15 minutes for every single user on your domain controllers and they are 100+ bytes, you can see how they can add up. You see that “This event is generated…” text – that’s the explanatory text. Logon IDs are only unique between reboots on the same computer. It may be positively correlated with a logon event using the Logon ID value. This event is generated when a logon session is destroyed. SourceName=Microsoft Windows security auditing. Let’s take a look at a typical windows event prior to the text suppression: 08:29:33 AM The second facility I wrote about was suppressing the explanatory text. The second parameter is a whitelist – if you have more that you don’t want to keep than you want to keep. You can use ranges (as I did here), or comma-separate the event IDs or event comma-separate ranges of event IDs. There are two new parameters you can specify – the first, shown here, is a black list of all the event IDs you don’t want to monitor. Previously, we had to add a nf stanza to initiate a filtering action that was done in nf – it was complicated. From the previous blog post, event ID 51 detail the firewall connection accept and deny messages. Let’s say you don’t want firewall events.
![splunk search for windows event id splunk search for windows event id](http://www.learnsplunk.com/uploads/2/7/1/9/2719363/7109108_orig.png)
Splunk 6 makes this so much easier that the prior blog post is not even relevant any more. I included two techniques – firstly, filtering by event code so that you didn’t include the events you didn’t want and secondly, filtering the explanatory text on the end of each event.
#Splunk search for windows event id how to
It detailed how to limit the amount of data that was going into the Splunk index through filtering. Quite a while ago I wrote a blog post entitled The Splunk App for Active Directory and How I tamed the Security Log.