Splunk® Supported Add-ons

Splunk Add-on for Microsoft Windows

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Release history for the Splunk Add-on for Windows

The latest version of the Splunk Add-on for Windows is version 8.8.0. See Release notes for the Splunk Add-on for Windows.

Version 8.7.0

Version 8.7.0 of the Splunk Add-on for Windows was released on April 21, 2023.

The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.


Compatibility

Version 8.7.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM 4.15 and later
Platform Windows
Vendor Products Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server

New or changed features

Version 8.7.0 of the Splunk Add-on for Windows has the following new or changed features:

  • Tagged Windows DNS logs collected in MSAD:NT6:DNS sourcetype with NetworkResolution:DNS data model and mapped the relevant CIM fields.

See CIM model and Field Mapping changes for MSAD:NT6:DNS for more details on the Event Code changes.

Fixed Issues

Version 8.7.0 of the Splunk Add-on for Windows fixes the following issues:


Date resolved Issue number Description
2023-05-03 ADDON-61555 src_nt_domain field extracting value from next line when "Security_ID" field is missing for source WinEventLog:Security

Known Issues

Version 8.7.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:


Version 8.6.0

Version 8.6.0 of the Splunk Add-on for Windows was released on January 23, 2023.

The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.


Compatibility

Version 8.6.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM 4.15 and later
Platform Windows
Vendor Products Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server

New or changed features

Version 8.6.0 of the Splunk Add-on for Windows has the following new or changed features:

  • CIM enhancements for the following Event Codes: 4727, 4728, 4729, 4730, 4731, 4733, 4734, 4735, 4737, 4754, 4755, 4756, 4757, 4758, 4799, 4764. See Field Changes for more details on the Event Code changes.

(To review field extraction changes, please refer to Field Changes Section)

  • For EventCodes: 4727, 4730, 4731, 4734, 4735, 4737, 4754, 4755, 4758, 4764 the user field has been removed as these events belong to object_category=group.
  • Mapped the 4799 Event Code of the Windows Security to the Change:All_Changes data model.



Fixes

  • Fixed the signature field extraction issue for source WinEventLog:System.

Notes:

  • If the configured input has evt_resolve_ad_obj = 1 then the value forMember:Security_ID, Group:Security_ID, Subject:Security_ID will be in enriched "DOMAIN\UserName" format.
  • If the configured input has evt_resolve_ad_obj = 0 then the value forMember:Security_ID, Group:Security_ID, Subject:Security_ID will be in traditional Windows SID format, i.e. S-1-1234-etc


Field Changes

Source - WinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed


['WinEventLog'] 4727 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4728 src_user_name, object_id, object, user_name, src
['WinEventLog'] 4729 src_user_name, object_id, object, user_name, src
['WinEventLog'] 4730 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4731 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4733 src_user_name, object_id, src user
['WinEventLog'] 4734 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4735 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4737 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4754 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4755 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4756 object_attrs, Group_Name, src_user_name, user_group, object_id, object, user_name, Group_Domain, src
['WinEventLog'] 4757 src_user_name, object_id, object, user_name, src
['WinEventLog'] 4758 src_user, src_user_name, object_id, object, src user
['WinEventLog'] 4764 src_user, src_user_name, object_id, object, src user, object_attrs
['WinEventLog'] 4799 object_category, result, change_type, subject, signature, object_id, object, user_name, src, name


Source - XmlWinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed
['XmlWinEventLog'] 4727 src_user_name, src, object_id, object user
['XmlWinEventLog'] 4728 src_user_name, object_id, user_name, object_attrs, src, object
['XmlWinEventLog'] 4729 src_user_name, object_id, user_name, object_attrs, src, object
['XmlWinEventLog'] 4730 src_user_name, object_id, object_attrs, src, object user
['XmlWinEventLog'] 4731 src_user_name, src, object_id, object user
['XmlWinEventLog'] 4733 object_attrs, src_user_name, src, object_id user
['XmlWinEventLog'] 4734 src_user_name, object_id, object_attrs, src, object user
['XmlWinEventLog'] 4735 src_user_name, src, object_id, object user
['XmlWinEventLog'] 4737 src_user_name, src, object_id, object user
['XmlWinEventLog'] 4754 src_user_name, src, object_id, object user
['XmlWinEventLog'] 4755 src_user_name, src, object_id, object user
['XmlWinEventLog'] 4756 src_user_name, object_id, user_name, object_attrs, src, object
['XmlWinEventLog'] 4757 src_user_name, object_id, user_name, object_attrs, src, object
['XmlWinEventLog'] 4758 src_user_name, object_id, object_attrs, src, object user
['XmlWinEventLog'] 4764 src_user_name, src, object_id, object user
['XmlWinEventLog'] 4799 result, object_id, user_name, object_attrs, change_type, name, src, subject, object, signature, object_category


Fixed Issues

Version 8.6.0 of the Splunk Add-on for Windows fixes the following issues:

Known Issues

Version 8.6.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:


Version 8.5.0

Version 8.5.0 of the Splunk Add-on for Windows was released on April 21, 2022.

The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.


Compatibility

Version 8.5.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x
CIM 4.15 and later
Platform Windows
Vendor Products Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server

New or changed features

Version 8.5.0 of the Splunk Add-on for Windows has the following new or changed features:

  • CIM enhancements for these Event Codes: 104, 1102, 4624, 4625, 4634, 4698, 4700, 4701, 4702, 4719, 720, 4732, 4740, 4800, 4801

(To review field extraction changes, please refer to Field Changes Section)

  • Removed the incorrect Endpoint:Filesystem CIM tags from the wineventlog_windows event type.
  • Removed the fs_notification event type and fs_notification source type extractions as Splunk no longer supports this source type.


Fixes

  • Fixed the user field extraction issue for Event Codes 4728, 4729, 4732 when the distinguished name (DN) contains "Lastname, Firstname".

Notes:

  • If the Member:Security_ID value uses the enriched "DOMAIN\UserName" format then the user field would be extracted as UserName.
  • If the Member:Security_ID value uses the traditional Windows SID (S-1234-etc) format then the user field will be extracted from the first RDN section of the Member:Account Name string (which gets logged as an LDAP DN format).
  • If the Member:Security_ID value uses the traditional Windows SID (S-1234-etc) format and the first RDN section of Member:Account Name as CN=Lastname\, Firstname, OU=Users, DC=CONTOSO, DC=com, then it can be in the lastname,firstname format, in which case user field will not be extracted.


Field Changes

Source - WinEventLog:System field mapping changes

Source-type EventCode Fields added Fields removed
['WinEventLog'] 104 object, user_name, object_category, action, result, status, change_type

Source - XmlWinEventLog:System field mapping changes

Source-type EventCode Fields added Fields removed
['WinEventLog'] 104 user, object, user_name, object_category, user_data_channel, action, result, status, change_type

Source - WinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed


['WinEventLog'] 1102 result, object, user_name
['WinEventLog'] 4624 authentication_method
['WinEventLog'] 4625 authentication_method
['WinEventLog'] 4634 object_id, change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name
['WinEventLog'] 4698 object, user_name, TaskContent, object_category, object_attrs, result, change_type
['WinEventLog'] 4700 object, user_name, TaskContent, object_category, object_attrs, result, change_type
['WinEventLog'] 4701 object, user_name, TaskContent, object_category, object_attrs, result, change_type
['WinEventLog'] 4702 object, user_name, TaskNewContent, object_category, object_attrs, result, change_type
['WinEventLog'] 4719 result, object, user_name
['WinEventLog'] 4720 src_user_name, object_id, object, user_name, object_attrs, New_Account_Account_Name, New_Account_Domain, New_Account_Security_ID
['WinEventLog'] 4732 src_user_name, object_id, Member_Security_ID, object, user_name, Member_Account_Name
['WinEventLog'] 4740 src_user_name, object_id, Account_Locked_Out_Security_ID, Account_Locked_Out_Name, object, user_name, object_attrs
['WinEventLog'] 4800 change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name
['WinEventLog'] 4801 change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name

Source - XmlWinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed
['XmlWinEventLog'] 1102 result, object, user, user_name
['XmlWinEventLog'] 4624 authentication_method
['XmlWinEventLog'] 4625 authentication_method
['XmlWinEventLog'] 4634 object_id, change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name, src_nt_domain
['XmlWinEventLog'] 4698 user, object, user_name, object_category, object_attrs, result, change_type
['XmlWinEventLog'] 4700 user, object, user_name, object_category, object_attrs, result, change_type
['XmlWinEventLog'] 4701 user, object, user_name, object_category, object_attrs, result, change_type
['XmlWinEventLog'] 4702 user, object, user_name, object_category, object_attrs, result, change_type
['XmlWinEventLog'] 4719 result, object, user, user_name
['XmlWinEventLog'] 4720 src_user_name, object_id, object, user_name, object_attrs
['XmlWinEventLog'] 4732 src_user_name, object_id, object, user_name, object_attrs
['XmlWinEventLog'] 4740 src_user_name, object, user_name, object_attrs
['XmlWinEventLog'] 4800 change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name, src_nt_domain
['XmlWinEventLog'] 4801 change_type, object, user_name, object_category, object_attrs, result, src_user, src_user_name, src_nt_domain

Fixed Issues

Version 8.5.0 of the Splunk Add-on for Windows fixes the following issues:


Known Issues

Version 8.5.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:


Version 8.4.0

Version 8.4.0 of the Splunk Add-on for Windows was released on February 1, 2022.

The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.


Compatibility

Version 8.4.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x
CIM 4.15 and later
Platform Windows
Vendor Products Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server

New or changed features

Version 8.4.0 of the Splunk Add-on for Windows has the following new or changed features:

Features

  • Enhanced "win_listening_ports.bat" input to get the process name associated with the listening port.
  • Added 'storage_free', 'storage', 'storage_used', and 'storage_used_percent' field extractions for "PerfmonMk:LogicalDisk" sourcetype.
  • Added 'user_type'=computer field extraction for the EventCodes 4741, 4742, and 4743.
  • Added 'dest' and 'resource_type' field extractions for the "Script:TimesyncStatus" sourcetype.
  • Introduced a new eventtype 'windows_security_change_account' (with tags: 'account', 'change' and CIM datamodel: Change:Account_Management) which will only apply to Windows Event Codes: 4703, 4704, 4705, 4722, 4723, 4724, 4725, 4726, 4738, 4767, and 4781 falling under source="WinEventLog:Security" OR source="XmlWinEventLog:Security". Also enhanced the CIM mappings for these Event Codes. (To review field extraction changes, please refer to "Field Changes" Section)
  • Excluded Event Codes: 4703, 4704, 4705, 4722, 4723, 4724, 4725, 4726, 4738, 4767, 4781 from 'wineventlog_windows' eventtype to remove the incorrect Endpoint:Filesystem CIM tag.
  • Added support of the latest DHCP event format and enhanced the CIM mapping of the "DhcpSrvLog" sourcetype.
CIM Data Model DHCP Event IDs before v8.4.0 DHCP Event IDs after v8.4.0
['Network Sessions:DHCP'] All the DHCP events (sourcetype=DhcpSrvLog) 10,11,12,13,14,15,16,17,18
['Network Sessions:Session_Start'] 10,11,13 10,11
['Network Sessions:Session_End'] 12,16,17 12,16,17,18

Notes:

  • Removed the tags (dhcp network session) from 'DhcpSrvLog' eventtype and created new 'DhcpSrvLog_dhcp' eventtype which covers Event Codes mapped with NetworkSession:dhcp DM.
  • The header for latest supported event format is [ ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime, CorrelationID,Dhcid,VendorClass(Hex),VendorClass(ASCII),UserClass(Hex),UserClass(ASCII),RelayAgentInformation,DnsRegError ]


Fixes

  • Removed invalid 'object' field extraction (sourcetype AS object) from all security events. (Note: Existing users relying on the 'object' field can directly use the 'sourcetype' field.)
  • Fixed the 'Name' field extraction issue for "WMI:LocalProcesses" sourcetype when Name contains the space character.

Field Changes

Source - WinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed
['WinEventLog'] 4703 change_type, Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, object_category, Target_Logon_ID, object_attrs, Target_Account_Name, user_name, user_group, Target_Account_Domain, result, object_id
['WinEventLog'] 4704 change_type, Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Subject_Account_Name, object_category, Target_Account_Name, object_attrs, user_name, user_group, result
['WinEventLog'] 4705 change_type, Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Subject_Account_Name, object_category, Target_Account_Name, object_attrs, user_name, user_group, result
['WinEventLog'] 4722 Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id
['WinEventLog'] 4723 Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, Target_Account_Domain, user_group, result, object_id
['WinEventLog'] 4724 Subject_Security_ID, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, Target_Account_Domain, user_group, result, object_id
['WinEventLog'] 4725 Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id
['WinEventLog'] 4726 Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id
['WinEventLog'] 4738 Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id
['WinEventLog'] 4767 Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, Target_Account_Name, user_name, object_attrs, Target_Account_Domain, user_group, Subject_Security_ID, object_id
['WinEventLog'] 4781 Target_Old_Account_Name, src_user, Target_New_Account_Name, Subject_Account_Domain, src_user_name, Subject_Logon_ID, Target_Security_ID, Subject_Account_Name, user_name, Target_Account_Domain, Subject_Security_ID, object_id

Source - XmlWinEventLog:Security field mapping changes

Source-type EventCode Fields added Fields removed
['XmlWinEventLog'] 4703 result, user_name, object_attrs, object_category, object_id, src_user_name, change_type
['XmlWinEventLog'] 4704 result, object_attrs, object_id, object_category, src_user_name, change_type
['XmlWinEventLog'] 4705 result, object_attrs, object_id, object_category, src_user_name, change_type
['XmlWinEventLog'] 4722 user_name, object_attrs, src_user_name, object_id
['XmlWinEventLog'] 4723 result, user_name, src_user_name, object_id
['XmlWinEventLog'] 4724 result, user_name, src_user_name, object_id
['XmlWinEventLog'] 4725 user_name, object_attrs, src_user_name, object_id
['XmlWinEventLog'] 4726 user_name, object_attrs, src_user_name, object_id
['XmlWinEventLog'] 4738 user_name, object_attrs, src_user_name, object_id
['XmlWinEventLog'] 4767 user_name, object_attrs, src_user_name, object_id
['XmlWinEventLog'] 4781 user, user_name, src_user_name, object_id


Fixed Issues

Version 8.4.0 of the Splunk Add-on for Windows fixes the following issues:


Known Issues

Version 8.4.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:



Version 8.3.0

Version 8.3.0 of the Splunk Add-on for Windows was released on December 8, 2021.

The Splunk Add-on for Windows 5.0.0 introduced breaking changes. If you are upgrading from a version of the Splunk Add-on for Windows that is lower than 5.0.0, you must follow the steps outlined in Upgrade the Splunk Add-on for Windows. Failure to do so can result in data loss.

The Splunk Add-on for Windows DNS version 1.0.1 and the Splunk Add-on for Windows Active Directory version 1.0.0 are not supported when installed alongside the Splunk Add-on for Windows versions 6.0.0 and higher. The Splunk Add-on for Windows versions 6.0.0 and higher includes the Splunk Add-on for Windows DNS and the Splunk Add-on for Microsoft Active Directory.


Compatibility

Version 8.3.0 of the Splunk Add-on for Windows is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.1.x, 8.2.x
CIM 4.15 and later
Platform Windows
Vendor Products Windows Server 2022, Windows 11, Windows Server 2019, Windows 8.1, Windows 10, Windows Server 2012/2012 R2, Windows Server 2016, Microsoft Active Directory, Microsoft Windows DNS Server

New or changed features

Version 8.3.0 of the Splunk Add-on for Windows has the following new or changed features:

Features

  • Support for Windows Server 2022 and Windows 11

Fixed Issues

Version 8.3.0 of the Splunk Add-on for Windows fixes the following issues:

Known Issues

Version 8.3.0 of the Splunk Add-on for Windows contains the following known issues. If no issues appear below, no issues have yet been reported:

Last modified on 25 September, 2023
PREVIOUS
Installation and configuration overview for the Splunk Add-on for Windows 		  NEXT
Install the Splunk Add-on for Windows

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters