topic Re: How to only forward Windows Security logs in Getting Data In

How to only forward Windows Security logs

sventura15 — Mon, 02 Apr 2012 14:11:23 GMT

Hi,

I would like to forward only successful and failed Windows login attempts from my Windows 2008 Server to my RHEL forwarder. How do I go about configuring this?

My thanks in advance

Re: How to only forward Windows Security logs

kristian_kolb — Mon, 02 Apr 2012 21:21:17 GMT

Have you looked at this section of the docs?

http://docs.splunk.com/Documentation/Splunk/4.3.1/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest

You would probably need something like;

in props.conf

[WinEventLog:Security]
TRANSFORMS-winevt=winevtnull, winevtparsing

in transforms.conf

[winevtnull]
REGEX=(?m).
DEST_KEY=queue
FORMAT=nullQueue

[winevtparsing]
REGEX=(?m)^EventCode=(AAAA|BBBB|CCCC|DDDD)
DEST_KEY=queue
FORMAT=indexQueue

Where AAAA, BBBB etc would be the EventCodes you are interested in keeping. Haven't tried it with WinEventLogs before myself, but this is what the good book says.

UPDATED to remove references [WMI:WinEventLog:Security] and WMI stuff in general. See comments below for more info.

Hope this helps,

Kristian

Re: How to only forward Windows Security logs

sventura15 — Tue, 03 Apr 2012 15:22:29 GMT

after doing this, and restarting splunk, is there anything else I have to do or just look for logs to show up on the receiveing end ?

Thanks

Re: How to only forward Windows Security logs

sventura15 — Tue, 03 Apr 2012 15:23:49 GMT

another question, this props and transforms file, are they supposed to be edited in the default directory (C:\Program Files\Splunk\etc\system\default), or are the files supposed to be moved to the C:\Program Files\Splunk\etc\system\local and then edited ?

Re: How to only forward Windows Security logs

kristian_kolb — Tue, 03 Apr 2012 15:48:28 GMT

Never edit the files in a 'default' directory. Create new empty props/transforms.conf files and just add your configs there. At runtime the settings are merged, and a setting in a conf file in a 'default' directory will be overridden by settings in a conf file in a 'local' directory.

Re: How to only forward Windows Security logs

sventura15 — Tue, 03 Apr 2012 15:53:14 GMT

ahhhh, I coped the files from default into local, and then added the text to the props and transforms in the local directory. Actually, that should give us the same result, so no biggie right?

So I setup forwarding and receiving, but it is still sending all content, including CPU time, memory, etc. etc. Here is what I added to the very bottom of my props file :

[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull, wmiparsing

(more in the next comment)

Re: How to only forward Windows Security logs

sventura15 — Tue, 03 Apr 2012 15:53:20 GMT

Here is what I added to the very bottom of my transforms file:
[wminull]
REGEX=(?m).
DEST_KEY=queue
FORMAT=nullQueue

[wmiparsing]
REGEX=(?m)^EventCode=(4616|4625|4624|4634|4647|4648|4656|4672|4673|4674|4776|4778|4779|4953|4985)
DEST_KEY=queue
FORMAT=indexQueue

All the event codes are codes I found manually going through event viewer. I restarted splunk on both the reciever and the forwarder. Any ideas ?

Re: How to only forward Windows Security logs

kristian_kolb — Tue, 03 Apr 2012 15:55:56 GMT

Also, you have to install and configure a forwarder on the windows machine. See the "Getting Data in" manual in the docs.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Usingforwardingagents

http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata

Also you might want to look at the Distributed Deployment manual

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Deploymentoverview

Also, you have to enable your splunk server to listen to incoming traffic, and your forwarder to send the logs to the correct host/port

Re: How to only forward Windows Security logs

sventura15 — Tue, 03 Apr 2012 16:00:17 GMT

oh yeah, the forwarding and receiving is working great. I even see the connection when I do a netstat -na on the reciever. Lots of data got dumped into the reciever (CPU, memory, etc.). My problem is I need to filter the data sent to the reciever. I only want windows security entries being send to the reciever.

Re: How to only forward Windows Security logs

kristian_kolb — Tue, 03 Apr 2012 16:00:22 GMT

You should look at the inputs.conf file on your forwarder. Actually there may several files called inputs.conf. Not 100% sure where the will be on a windows forwarder though, but probably under

c:\program files\splunk\etc\apps\search or
c:\program files\splunk\etc\apps\launcher or
c:\program files\splunk\etc\apps\MSICreated or
c:\program files\splunk\etc\system\local

Remove or comment any references to perf-mon data (or other stuff you do not want.)

Re: How to only forward Windows Security logs

sventura15 — Tue, 03 Apr 2012 16:12:27 GMT

I tried this article to no avail :

http://splunk-base.splunk.com/answers/29218/filtering-windows-event-logs

Re: How to only forward Windows Security logs

sventura15 — Tue, 03 Apr 2012 16:19:53 GMT

it was under system\local, was set to :
host = HOSTNAME
[script://$SPLUNK_HOME\bin\scripts\splunk-admon.path]
disabled = 0 <-- changing to 1

[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
disabled = 0<-- changing to 1

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path]
disabled = 0<-- changing to 1

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

Re: How to only forward Windows Security logs

sventura15 — Tue, 03 Apr 2012 16:25:19 GMT

still sending everything ....

Re: How to only forward Windows Security logs

kristian_kolb — Wed, 04 Apr 2012 08:07:01 GMT

Your inputs.conf on the forwarder should contain

[WinEventLog:Security]
index=your_index
disabled = 0

and nothing else. I might have made a slight mistake in copying text from the docs. In props.conf, the stanza name should probably NOT be [WMI:WinEventLog:Security], but rather [WinEventLog:Security].

That should match the sourcetype better.

Re: How to only forward Windows Security logs

sventura15 — Wed, 04 Apr 2012 13:06:02 GMT

What should the name of that index be ? Here are my files:

props.conf:
[WinEventLog:Security]
TRANSFORMS-winevt=winevtnull, winevtparsing

transforms.conf:
[winevtnull]
REGEX=(?m).
DEST_KEY=queue
FORMAT=nullQueue

[winevtparsing]
REGEX=(?m)^EventCode=(5157|4625|4624|7036|1102|1033)
DEST_KEY=queue
FORMAT=indexQueue

inputs.conf:
[WinEventLog:Security]
index=winevtparsing
disabled = 0

When I generated a failed login, I got the error in the local splunk stating: received event for unconfigured/disabled index='winevtparsing' with source='source::Wineventlog:security' host=host::KIM-SNIFF'

Re: How to only forward Windows Security logs

sventura15 — Wed, 04 Apr 2012 13:06:33 GMT

source type='sourcetype::WinEventLog:Security' (1 missing total)

Re: How to only forward Windows Security logs

sventura15 — Wed, 04 Apr 2012 13:09:06 GMT

could it be I used the wrong index name in the inputs.conf? I apologize as I am very green when it comes to splunk, so anything is possible. :0)

Re: How to only forward Windows Security logs

sventura15 — Wed, 04 Apr 2012 13:33:20 GMT

I found the indexes in the Splunk, manager, indexes section, and the only ones that are updating frequently are the main, _internal, and _audit indexes. I changed the inputs.conf file index= stating main, then restarting the service, stuff kept showing up for CPU, etc., so I did the same for _internal and _audit, and those also showed everything. I make sure I saved the file and restarted the service on the windows server after every change to the inputs.conf file.

Re: How to only forward Windows Security logs

sventura15 — Wed, 04 Apr 2012 13:47:09 GMT

I tried default index as well to no avail.

Re: How to only forward Windows Security logs

sventura15 — Wed, 04 Apr 2012 14:24:01 GMT

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path]
disabled = 1
interval = 10000000
source = WinRegistry
sourcetype=WinRegistry
queue = winparsing
persistentQueueSize=50MB

[script://$SPLUNK_HOME\bin\scripts\splunk-admon.path]
interval = 10000000
source = ActiveDirectory
sourcetype = ActiveDirectory
disabled = 1
queue = winparsing
persistentQueueSize=50MB

[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]
interval = 10000000
source = PerformanceMonitor
sourcetype = PerformanceMonitor
disabled = 1
queue = winparsing
persistentQueueSize=50MB