Skip to main content
Splunk Lantern

Microsoft recommended application log events

You might want to examine logs from high-frequency Microsoft application events when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

A solid event log monitoring system is a crucial part of any secure Windows environment or Active Directory design. Many computer security compromises could be discovered early if the victims enacted appropriate event log monitoring and alerting. This search leverages application monitoring recommendations provided by Microsoft to identify whether an event should be considered of low, medium, or high criticality in detecting attacks and errors.

NOTE: To optimize the search shown below, you should specify an index and a time range. 

  1. Verify that you deployed the add-on to the search heads and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
  2. Run the following search: 
sourcetype=WinEventLog 
|stats count BY EventCode LogName severity Type signature 
|rename count AS Total_Events Type AS Event_Type 
|fillnull value=0 Total_Events 
|sort - Total_Events 
|table LogName EventCode severity Event_Type signature Total_Events

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=WinEventLog 

Search only Windows event logs.

|stats count BY EventCode LogName severity Type signature

Count the number of times each event combination occurred.

|rename count AS Total_Events Type AS Event_Type 

Rename the fields as shown for better readability.

|fillnull value=0 Total_Events

Set the Total_Events field to 0 if null. This will be a rare occurrence.

|sort - Total_Events 

Sort with the most frequently occurring result combination first. 

|table LogName EventCode severity Event_Type signature Total_Events

Display the results in a table with columns in the order shown.

Result

The following table shows sample search results. It shows what events took place, ordered by count of events (Total_Events). The other columns give descriptions of the events. From the table, you can decide what to further summarize or pay attention to.  

LogName EventCode severity Event_Type signature Total_Events

Security

4624

informational

Information

An account was successfully logged on

52480

Security

4625

informational

Information

An account failed to log on

24504

Application

1001

informational

Information

Windows Error Reporting

9856

Security

5136

informational

Active Directory Domain Services

A directory service object was modified

8024

Application

1001

medium

Warning

Windows Error Reporting

1696

While the search provided above gives a full picture of event codes that occur in your network, you might find a targeted search for risky errors more useful. After understanding the general state of your applications, you could run the following search to identify specific computers and users who are linked to application logs that can benefit from further investigation:

sourcetype=wineventlog Type=ERROR OR severity=high 
|stats count by Type severity ComputerName User

You can save the search and results as a dashboard, a report (saved search), or as an alert and associate an action with the event, such as opening a ticket or sending a notification to the on call help desk for rapid action. 

  • Was this article helpful?