Hello,
I'm able to receive almost all eventcodes for `wineventlog:security` but missing the logs for eventcode 4776 .
I have the Windows TA app installed on the universal forwarder and search head. I have tried the following:
I uncheck the box labeled "Overwrite field values" which should Splunk from overwriting the existing `Error_Code` field (it did not work).
Then, created `props.conf` in the search head with this:
source::WinEventLog:Security
FIELDALIAS-Status_as_Error_Code = Status ASNEW Error_Code
Then, restarted the search head.
None of those steps are working. I checked the blocklist in the input file but code 4776 is one of them.
Could you please help?
Thanks
↧