topic Logs not coming from Windows Defender in All Apps and Add-ons

Logs not coming from Windows Defender

test_qweqwe — Sat, 13 Jan 2018 15:36:22 GMT

Hi
I have running Windows Defender and want to collect logs to Splunk.

Windows Defender that running on my host Windows 10 Enterprise LTSB;
Splunk 7.0 that collect logs local from my host;
TA for Microsoft Windows Dedender;

Logs not collected.
What should I do to fix it? I have no idea.

Re: Logs not coming from Windows Defender

mjeffery_splunk — Sat, 13 Jan 2018 15:50:57 GMT

Did you deploy the add-on to the Windows host you wish to get the logs from?

Ideally, you would do this from the Forwarder Manager (Settings->Forwarder Management).
Copy the add-on from $SPLUNK/etc/apps to $SPLUNK/etc/deploy-apps.
Create a new folder "local" in $SPLUNK/etc/deploy-apps//
Copy the inputs.conf from the "default" folder to "local" (the one you just created)
Change "disabled = true" to "disabled = false"

Verify that the TA_microsoft-windefender folder is on the host you wish to get that data from and then you should be good to go.

Restart the forwarder service (services.msc) for good measure.

Re: Logs not coming from Windows Defender

test_qweqwe — Sat, 13 Jan 2018 15:55:17 GMT

I did it all and it's not helped.

Re: Logs not coming from Windows Defender

mjeffery_splunk — Sat, 13 Jan 2018 21:42:48 GMT

Bring up the Event Viewer on the Windows box you're trying to get those logs from and verify that it is indeed logging the events under "Applications and Services Logs"

Re: Logs not coming from Windows Defender

test_qweqwe — Sat, 13 Jan 2018 21:57:46 GMT

So, if i generating new event (downloaded poor virus that windefender detect) it's sends logs. One problem is resolved \o/

But another problem, how to collect all logs from Windefender?
Not only new. All from beginning to now. And yes in Event Viewer in Microsoft-Windows-Windows Defender/Operational there are many logs.

Re: Logs not coming from Windows Defender

test_qweqwe — Sat, 13 Jan 2018 22:10:47 GMT

My config

[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = windefender
disabled = false
start_from = oldest
current_only = 0
renderXml = 1

Re: Logs not coming from Windows Defender

pdoconnell — Sat, 13 Jan 2018 23:23:38 GMT

This works for me:
[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = windefender
disabled = false
renderXml = 1

I confirm logs coming into Splunk for index=windefender with that input. Confirm that your Windows Defender log location is correct for your system.

Re: Logs not coming from Windows Defender

test_qweqwe — Sat, 13 Jan 2018 23:28:16 GMT

Hi!
In my previous comment I said that logs coming, but only new. I need historical (old) and new logs.

Re: Logs not coming from Windows Defender

pdoconnell — Tue, 29 Sep 2020 17:43:07 GMT

It looks like the start_from and current_only stanzas dont appear anymore in the inputs.conf definition. Maybe it is no longer supported?

Re: Logs not coming from Windows Defender

test_qweqwe — Sun, 14 Jan 2018 01:43:33 GMT

Maybe, but how me collect all logs of windefender that i have on my PC? 🙂