topic Re: How to gather only the Administrators' login/logout events from Windows Universal FW? in Security

How to gather only the Administrators' login/logout events from Windows Universal FW?

skender27 — Thu, 09 Feb 2017 16:31:46 GMT

Hi,

I have this necessity to gather exclusively the Windows Administrators login/logfail/logout from Windows Universal FW.
I know how to do for the type of events (by putting EventCode IDs in the .conf files that I deploy to the universal forwarders)
What I still do not do, is collecting ONLY the admin events. What I mean is provisioning this directly from the FW level and not indexing these kinds of events for all users and only then filtering through (maybe match a predefined CSV file) and building dashboards.

I have read somewhere about some regex stanza (in props.conf and transforms.conf) which provide patterns to allow event gathering...
I hope someone has had the same issue before.

Thanks a lot in advance,
Skender

Re: How to gather only the Administrators' login/logout events from Windows Universal FW?

hsesterhenn_spl — Thu, 09 Feb 2017 17:59:50 GMT

Hi,

you can't filter by event on a Windows Universal Forwarder because a UF does not parse (Indexer or Heavy Forwarder do).

BUT, you might blacklist/whitelist by event ID and some regexes...

http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

HTH,

Holger

Re: How to gather only the Administrators' login/logout events from Windows Universal FW?

gcusello — Fri, 10 Feb 2017 09:10:49 GMT

Hi skender27,
you cannot filter events on Forwarders, but only on Indexers or Heavy Forwarders.
To filter events, so you have to create in your indexer/s props.conf and transforms.conf like these:
props.conf

[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = your regex
DEST_KEY = queue
FORMAT = indexQueue

See http://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest

The problem is that you have to restart Splunk every time you modify your regex to insert a new administrator's username.
In addition you could need to have all users login and filter them at application level.

So I usually filter my events to take only the ones related to login, logout and logfail and I inserted the Administrators usernames in a lookup filtering my searches for this lookup.
In this way I can add an administrator with no Splunk restart and I can monitor all the users logins; obviously I must index more logs, but with the filter on Windows EventCodes there isn't a very larger consuption of Splunk License.

the regex I used to filter windows login events is the following, useful for all Windows Systems (old and new, Win and SQL):

(?m)EventCode=528|EventCode=529|EventCode=530|EventCode=531|EventCode=532|EventCode=533|EventCode=534|EventCode=535|EventCode=536|EventCode=537|EventCode=538|EventCode=539|EventCode=540|EventCode=4624|EventCode=4625|EventCode=4634|EventCode=4647|EventCode=4648|EventCode=4672|EventCode=4675|EventCode=4771|EventCode=17055|EventCode=18450|EventCode=18451|EventCode=18452|EventCode=18453|EventCode=18454|EventCode=18455|EventCode=18456|EventCode=18457|EventCode=18458|EventCode=18459|EventCode=18460|EventCode=18461|EventCode=24001|EventCode=24002|EventCode=24003

Bye.
Giuseppe

Re: How to gather only the Administrators' login/logout events from Windows Universal FW?

skender27 — Fri, 10 Feb 2017 13:16:58 GMT

Hi Giuseppe,

Thanks for your response in so fast time!
I fully understand the explanation and you just reminded me about the chances I've got.

But, what if, for legal compliance, you MUST NOT index in your indexer any log from other users who are not Administrators?
I already have done the way you and hsesterhenn suggested. If with an UF you cannot do this without first, it is OK for me. I just need to be sure.

Thanks a lot,
Skender

Re: How to gather only the Administrators' login/logout events from Windows Universal FW?

skender27 — Fri, 10 Feb 2017 13:18:12 GMT

Hi hsesterhenn,

Thanks so much for your response. I appreciated this!

Skender