I have a bunch of splunk forwarders installed to collect windows logs and send to them to a collector. The forwarders are installed on Windows XP, 2003, 7, and Server 2008 machines. The forwarders have all windows logs set as data inputs. On the Windows XP machines, I keep seeing a security failure audit in the security log. It occurs approximately every 5 seconds and I believe this is occurring because I am trying to get the security log, because if I remove the data input for that log no errors are generated. This error is causing the security logs to not be forwarded to the collector. As far as I can tell there is no GPO set up to restrict access to the security log and the forwarders are set up the exact same way throughout the network (no other machines are experiencing this problem). The user account that splunk uses to log in is a domain admin account. I've tried adding the splunk account to the Auditors group on the XP machines, but that didn't help. Are you aware of any security settings on Windows XP that could be causing this problem? Is there anything you could suggest to try to rectify the situation?
... View more