
Release history for the Splunk Add-on for Windows
The latest version of the Splunk Add-on for Windows is version 8.8.0. See Release notes for the Splunk Add-on for Windows.
Version 8.7.0
Version 8.7.0 of the Splunk Add-on for Windows was released on April 21, 2023.
The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.
Compatibility
Version 8.7.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.1.x, 8.2.x, 9.0.x |
CIM | 4.15 and later |
Platform | Windows |
Vendor Products | Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server |
New or changed features
Version 8.7.0 of the Splunk Add-on for Windows has the following new or changed features:
- Tagged Windows DNS logs collected in MSAD:NT6:DNS sourcetype with NetworkResolution:DNS data model and mapped the relevant CIM fields.
See CIM model and Field Mapping changes for MSAD:NT6:DNS for more details on the Event Code changes.
Fixed Issues
Version 8.7.0 of the Splunk Add-on for Windows fixes the following issues:
Date resolved | Issue number | Description |
---|---|---|
2023-05-03 | ADDON-61555 | src_nt_domain field extracting value from next line when "Security_ID" field is missing for source WinEventLog:Security |
Known Issues
Version 8.7.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:
Version 8.6.0
Version 8.6.0 of the Splunk Add-on for Windows was released on January 23, 2023.
The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.
Compatibility
Version 8.6.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.1.x, 8.2.x, 9.0.x |
CIM | 4.15 and later |
Platform | Windows |
Vendor Products | Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server |
New or changed features
Version 8.6.0 of the Splunk Add-on for Windows has the following new or changed features:
- CIM enhancements for the following Event Codes: 4727, 4728, 4729, 4730, 4731, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4799, 4764. See Field Changes for more details on the Event Code changes.
(To review field extraction changes, please refer to Field Changes Section)
- For EventCodes: 4727, 4730, 4731, 4734, 4735, 4737, 4754, 4755, 4758, 4764 the user field has been removed as these events belong to object_category=group.
- Mapped the 4799 Event Code of the Windows Security to the Change:All_Changes data model.
Fixes
- Fixed the signature field extraction issue for source WinEventLog:System.
Notes:
- If the configured input has
evt_resolve_ad_obj = 1
then the value forMember:Security_ID
,Group:Security_ID
,Subject:Security_ID
will be in enriched "DOMAIN\UserName" format. - If the configured input has
evt_resolve_ad_obj = 0
then the value forMember:Security_ID
,Group:Security_ID
,Subject:Security_ID
will be in traditional Windows SID format, i.e. S-1-1234-etc
Field Changes
Source - WinEventLog:Security field mapping changes
Source-type | EventCode | Fields added | Fields removed
|
---|---|---|---|
['WinEventLog']
|
4727 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4728 | src_user_name, object_id, object, user_name, src | |
['WinEventLog']
|
4729 | src_user_name, object_id, object, user_name, src | |
['WinEventLog']
|
4730 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4731 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4733 | src_user_name, object_id, src | user |
['WinEventLog']
|
4734 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4735 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4737 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4754 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4755 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4756 | object_attrs, Group_Name, src_user_name, user_group, object_id, object, user_name, Group_Domain, src | |
['WinEventLog']
|
4757 | src_user_name, object_id, object, user_name, src | |
['WinEventLog']
|
4758 | src_user, src_user_name, object_id, object, src | user |
['WinEventLog']
|
4764 | src_user, src_user_name, object_id, object, src | user, object_attrs |
['WinEventLog']
|
4799 | object_category, result, change_type, subject, signature, object_id, object, user_name, src, name |
Source - XmlWinEventLog:Security field mapping changes
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
['XmlWinEventLog']
|
4727 | src_user_name, src, object_id, object | user |
['XmlWinEventLog']
|
4728 | src_user_name, object_id, user_name, object_attrs, src, object | |
['XmlWinEventLog']
|
4729 | src_user_name, object_id, user_name, object_attrs, src, object | |
['XmlWinEventLog']
|
4730 | src_user_name, object_id, object_attrs, src, object | user |
['XmlWinEventLog']
|
4731 | src_user_name, src, object_id, object | user |
['XmlWinEventLog']
|
4733 | object_attrs, src_user_name, src, object_id | user |
['XmlWinEventLog']
|
4734 | src_user_name, object_id, object_attrs, src, object | user |
['XmlWinEventLog']
|
4735 | src_user_name, src, object_id, object | user |
['XmlWinEventLog']
|
4737 | src_user_name, src, object_id, object | user |
['XmlWinEventLog']
|
4754 | src_user_name, src, object_id, object | user |
['XmlWinEventLog']
|
4755 | src_user_name, src, object_id, object | user |
['XmlWinEventLog']
|
4756 | src_user_name, object_id, user_name, object_attrs, src, object | |
['XmlWinEventLog']
|
4757 | src_user_name, object_id, user_name, object_attrs, src, object | |
['XmlWinEventLog']
|
4758 | src_user_name, object_id, object_attrs, src, object | user |
['XmlWinEventLog']
|
4764 | src_user_name, src, object_id, object | user |
['XmlWinEventLog']
|
4799 | result, object_id, user_name, object_attrs, change_type, name, src, subject, object, signature, object_category |
Fixed Issues
Version 8.6.0 of the Splunk Add-on for Windows fixes the following issues:
Known Issues
Version 8.6.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:
Version 8.5.0
Version 8.5.0 of the Splunk Add-on for Windows was released on April 21, 2022.
The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.
Compatibility
Version 8.5.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.1.x, 8.2.x |
CIM | 4.15 and later |
Platform | Windows |
Vendor Products | Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server |
New or changed features
Version 8.5.0 of the Splunk Add-on for Windows has the following new or changed features:
- CIM enhancements for these Event Codes: 104, 1102, 4624, 4625, 4634, 4698, 4700, 4701, 4702, 4719, 720, 4732, 4740, 4800, 4801
(To review field extraction changes, please refer to Field Changes Section)
- Removed the incorrect
Endpoint:Filesystem
CIM tags from the wineventlog_windows event type. - Removed the
fs_notification
event type andfs_notification
source type extractions as Splunk no longer supports this source type.
Fixes
- Fixed the user field extraction issue for Event Codes 4728, 4729, 4732 when the distinguished name (DN) contains "Lastname, Firstname".
Notes:
- If the
Member:Security_ID
value uses the enriched "DOMAIN\UserName" format then the user field would be extracted as UserName. - If the
Member:Security_ID
value uses the traditional Windows SID (S-1234-etc) format then the user field will be extracted from the first RDN section of the Member:Account Name string (which gets logged as an LDAP DN format). - If the
Member:Security_ID
value uses the traditional Windows SID (S-1234-etc) format and the first RDN section ofMember:Account Name
asCN=Lastname\,
Firstname,
OU=Users,
DC=CONTOSO,
DC=com,
then it can be in thelastname,firstname
format, in which case user field will not be extracted.
Field Changes
Source - WinEventLog:System field mapping changes
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
['WinEventLog']
|
104 | object, user_name, object_category, action, result, status, change_type |
Source - XmlWinEventLog:System field mapping changes
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
['WinEventLog']
|
104 | user, object, user_name, object_category, user_data_channel, action, result, status, change_type |
Source - WinEventLog:Security field mapping changes
Source-type | EventCode | Fields added | Fields removed
|
---|---|---|---|
['WinEventLog']
|
1102 | result, object, user_name | |
['WinEventLog']
|
4624 | authentication_method | |
['WinEventLog']
|
4625 | authentication_method | |
['WinEventLog']
|
4634 | object_id, change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name | |
['WinEventLog']
|
4698 | object, user_name, TaskContent, object_category, object_attrs, result, change_type | |
['WinEventLog']
|
4700 | object, user_name, TaskContent, object_category, object_attrs, result, change_type | |
['WinEventLog']
|
4701 | object, user_name, TaskContent, object_category, object_attrs, result, change_type | |
['WinEventLog']
|
4702 | object, user_name, TaskNewContent, object_category, object_attrs, result, change_type | |
['WinEventLog']
|
4719 | result, object, user_name | |
['WinEventLog']
|
4720 | src_user_name, object_id, object, user_name, object_attrs, New_Account_Account_Name, New_Account_Domain, New_Account_Security_ID | |
['WinEventLog']
|
4732 | src_user_name, object_id, Member_Security_ID, object, user_name, Member_Account_Name | |
['WinEventLog']
|
4740 | src_user_name, object_id, Account_Locked_Out_Security_ID, Account_Locked_Out_Name, object, user_name, object_attrs | |
['WinEventLog']
|
4800 | change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name | |
['WinEventLog']
|
4801 | change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name |
Source - XmlWinEventLog:Security field mapping changes
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
['XmlWinEventLog']
|
1102 | result, object, user, user_name | |
['XmlWinEventLog']
|
4624 | authentication_method | |
['XmlWinEventLog']
|
4625 | authentication_method | |
['XmlWinEventLog']
|
4634 | object_id, change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name, src_nt_domain | |
['XmlWinEventLog']
|
4698 | user, object, user_name, object_category, object_attrs, result, change_type | |
['XmlWinEventLog']
|
4700 | user, object, user_name, object_category, object_attrs, result, change_type | |
['XmlWinEventLog']
|
4701 | user, object, user_name, object_category, object_attrs, result, change_type | |
['XmlWinEventLog']
|
4702 | user, object, user_name, object_category, object_attrs, result, change_type | |
['XmlWinEventLog']
|
4719 | result, object, user, user_name | |
['XmlWinEventLog']
|
4720 | src_user_name, object_id, object, user_name, object_attrs | |
['XmlWinEventLog']
|
4732 | src_user_name, object_id, object, user_name, object_attrs | |
['XmlWinEventLog']
|
4740 | src_user_name, object, user_name, object_attrs | |
['XmlWinEventLog']
|
4800 | change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name, src_nt_domain | |
['XmlWinEventLog']
|
4801 | change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name, src_nt_domain |
Fixed Issues
Version 8.5.0 of the Splunk Add-on for Windows fixes the following issues:
Known Issues
Version 8.5.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:
Version 8.4.0
Version 8.4.0 of the Splunk Add-on for Windows was released on February 1, 2022.
The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.
Compatibility
Version 8.4.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.1.x, 8.2.x |
CIM | 4.15 and later |
Platform | Windows |
Vendor Products | Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server |
New or changed features
Version 8.4.0 of the Splunk Add-on for Windows has the following new or changed features:
Features
- Enhanced "win_listening_ports.bat" input to get the process name associated with the listening port.
- Added 'storage_free', 'storage', 'storage_used', and 'storage_used_percent' field extractions for "PerfmonMk:LogicalDisk" sourcetype.
- Added 'user_type'=computer field extraction for the EventCodes 4741, 4742, and 4743.
- Added 'dest' and 'resource_type' field extractions for the "Script:TimesyncStatus" sourcetype.
- Introduced a new eventtype 'windows_security_change_account' (with tags: 'account', 'change' and CIM datamodel: Change:Account_Management) which will only apply to Windows Event Codes: 4703, 4704, 4705, 4722, 4723, 4724, 4725, 4726, 4738, 4767, and 4781 falling under source="WinEventLog:Security" OR source="XmlWinEventLog:Security". Also enhanced the CIM mappings for these Event Codes. (To review field extraction changes, please refer to "Field Changes" Section)
- Excluded Event Codes: 4703, 4704, 4705, 4722, 4723, 4724, 4725, 4726, 4738, 4767, 4781 from 'wineventlog_windows' eventtype to remove the incorrect Endpoint:Filesystem CIM tag.
- Added support of the latest DHCP event format and enhanced the CIM mapping of the "DhcpSrvLog" sourcetype.
CIM Data Model | DHCP Event IDs before v8.4.0 | DHCP Event IDs after v8.4.0 |
---|---|---|
['Network Sessions:DHCP']
|
All the DHCP events (sourcetype=DhcpSrvLog) | 10,11,12,13,14,15,16,17,18 |
['Network Sessions:Session_Start']
|
10,11,13 | 10,11 |
['Network Sessions:Session_End']
|
12,16,17 | 12,16,17,18 |
Notes:
- Removed the tags (dhcp network session) from 'DhcpSrvLog' eventtype and created new 'DhcpSrvLog_dhcp' eventtype which covers Event Codes mapped with NetworkSession:dhcp DM.
- The header for latest supported event format is [ ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime, CorrelationID,Dhcid,VendorClass(Hex),VendorClass(ASCII),UserClass(Hex),UserClass(ASCII),RelayAgentInformation,DnsRegError ]
Fixes
- Removed invalid 'object' field extraction (sourcetype AS object) from all security events. (Note: Existing users relying on the 'object' field can directly use the 'sourcetype' field.)
- Fixed the 'Name' field extraction issue for "WMI:LocalProcesses" sourcetype when Name contains the space character.
Field Changes
Source - WinEventLog:Security field mapping changes
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
['WinEventLog']
|
4703 | change_type, Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, object_category, Target_Logon_ID, object_attrs, Target_Account_Name, user_name, user_group, Target_Account_Domain, result, object_id | |
['WinEventLog']
|
4704 | change_type, Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Subject_Account_Name, object_category, Target_Account_Name, object_attrs, user_name, user_group, result | |
['WinEventLog']
|
4705 | change_type, Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Subject_Account_Name, object_category, Target_Account_Name, object_attrs, user_name, user_group, result | |
['WinEventLog']
|
4722 | Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id | |
['WinEventLog']
|
4723 | Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, Target_Account_Domain, user_group, result, object_id | |
['WinEventLog']
|
4724 | Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, Target_Account_Domain, user_group, result, object_id | |
['WinEventLog']
|
4725 | Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id | |
['WinEventLog']
|
4726 | Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id | |
['WinEventLog']
|
4738 | Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id | |
['WinEventLog']
|
4767 | Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id | |
['WinEventLog']
|
4781 | Target_Old_Account_Name, src_user, Target_New_Account_Name, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, user_name, Target_Account_Domain, Subject_Security_ID, object_id |
Source - XmlWinEventLog:Security field mapping changes
Source-type | EventCode | Fields added | Fields removed |
---|---|---|---|
['XmlWinEventLog']
|
4703 | result, user_name, object_attrs, object_category, object_id, src_user_name, change_type | |
['XmlWinEventLog']
|
4704 | result, object_attrs, object_id, object_category, src_user_name, change_type | |
['XmlWinEventLog']
|
4705 | result, object_attrs, object_id, object_category, src_user_name, change_type | |
['XmlWinEventLog']
|
4722 | user_name, object_attrs, src_user_name, object_id | |
['XmlWinEventLog']
|
4723 | result, user_name, src_user_name, object_id | |
['XmlWinEventLog']
|
4724 | result, user_name, src_user_name, object_id | |
['XmlWinEventLog']
|
4725 | user_name, object_attrs, src_user_name, object_id | |
['XmlWinEventLog']
|
4726 | user_name, object_attrs, src_user_name, object_id | |
['XmlWinEventLog']
|
4738 | user_name, object_attrs, src_user_name, object_id | |
['XmlWinEventLog']
|
4767 | user_name, object_attrs, src_user_name, object_id | |
['XmlWinEventLog']
|
4781 | user, user_name, src_user_name, object_id |
Fixed Issues
Version 8.4.0 of the Splunk Add-on for Windows fixes the following issues:
Known Issues
Version 8.4.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:
Version 8.3.0
Version 8.3.0 of the Splunk Add-on for Windows was released on December 8, 2021.
The Splunk Add-on for Windows 5.0.0 introduced breaking changes. If you are upgrading from a version of the Splunk Add-on for Windows that is lower than 5.0.0, you must follow the steps outlined in Upgrade the Splunk Add-on for Windows. Failure to do so can result in data loss.
The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.
Compatibility
Version 8.3.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:
Splunk platform versions | 8.1.x, 8.2.x |
CIM | 4.15 and later |
Platform | Windows |
Vendor Products | Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server |
New or changed features
Version 8.3.0 of the Splunk Add-on for Windows has the following new or changed features:
Features
- Support for Windows Server 2022 and Windows 11
Fixed Issues
Version 8.3.0 of the Splunk Add-on for Windows fixes the following issues:
Known Issues
Version 8.3.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:
PREVIOUS Installation and configuration overview for the Splunk Add-on for Windows |
NEXT Install the Splunk Add-on for Windows |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!