topic Re: How to index and forward all Windows Security events? in Getting Data In

How to index and forward all Windows Security events?

agarrison — Thu, 03 Mar 2016 21:01:27 GMT

I can't find anything that quite matches what I am trying to do.
We have a security device that can ingest Windows Security logs from Splunk, it would be much easier than installing a second forwarder for the security appliance itself.

I cannot find what I would need to index sourcetype="WinEventLog:Security" as well as forward it to an additional server.

I have tried several implementations on here, but the whole props, transforms, outputs, inputs config file setup is not very intuitive.

Re: How to index and forward all Windows Security events?

agarrison — Thu, 03 Mar 2016 21:02:27 GMT

I have tried Syslog routing and TCP routing and have not managed to get the windows security events to forward as a syslog event either way. any help would be appreciated.

Re: How to index and forward all Windows Security events?

agarrison — Thu, 03 Mar 2016 21:59:35 GMT

The events need to be forwarded using TCP, I can get them out using UDP, but when I enter type=tcp in the outputs.conf it stops sending.

Re: How to index and forward all Windows Security events?

gfreitas — Thu, 03 Mar 2016 22:01:55 GMT

Hi agarrison,

Maybe this link from the docs can help you: http://docs.splunk.com/Documentation/Splunk/6.3.3/Forwarding/Forwarddatatothird-partysystemsd#Syslog_data

Re: How to index and forward all Windows Security events?

muebel — Thu, 03 Mar 2016 22:13:19 GMT

Hi agarrison, I've got some questions, but here is a provisional answer. If this is possible, it's outlined here: http://docs.splunk.com/Documentation/Splunk/6.3.3/Forwarding/Routeandfilterdatad

Re: How to index and forward all Windows Security events?

muebel — Thu, 03 Mar 2016 22:14:21 GMT

Hi agarrison, do you have any heavy-forwarders, or do all of the universal forwarders send straight to the indexer(s)?

Re: How to index and forward all Windows Security events?

agarrison — Thu, 03 Mar 2016 23:30:41 GMT

all of the servers have the Universal forwarder installed going to the splunk indexer. I want to just forward from the indexer so I am not collecting the information twice

Re: How to index and forward all Windows Security events?

agarrison — Tue, 29 Sep 2020 08:58:48 GMT

I have looked at all of those links before posting, Here is the config that I have

transforms.conf
[sent_to_strm]
DEST_KEY = _SYSLOG_ROUTING
FORMAT= strm_server

props.conf
[WinEventLog:Security]
TRANSFORMS-strm = sent_to_strm

outputs.conf

[syslog:strm_server]
server=10.0.250.50:514
indexAndForward=true
sendCookedData=false

      If I add type=tcp to the outputs it will not send, but the appliance is listening for a "TCP multiline event" from splunk and ignores the data if it is UDP

Re: How to index and forward all Windows Security events?

agarrison — Tue, 29 Sep 2020 08:58:51 GMT

Running a Wireshark capture I do not see anything forwarded after I add the type=tcp, but I get events without it. I'm not sure If I need to use _TCP_ROUTING? but When I tried to set that up I do not think I set it up right either since I got nothing.

Re: How to index and forward all Windows Security events?

agarrison — Tue, 29 Sep 2020 08:58:54 GMT

I got it working using:
outputs.conf
[syslog:ms_strm_dev]
server = 10.164.4.200:12468
type = tcp

props.conf
[syslog]
TRANSFORMS-routing = win_strm, win_index, FilterSecurityEvents, trunkEventDesc1, trunkEventDesc2, UserFilter, LogonFilter

transforms.conf
[win_index]
REGEX = ^(\d\d)\/(\d\d)\/(\d\d\d\d)\s(\d\d):(\d\d):(\d\d)\s\w\w
FORMAT = TimeGenerated::$2/$1/$3 $4
DEST_KEY = queue
FORMAT = indexQueue
[win_strm]
REGEX = EventCode=
DEST_KEY = _SYSLOG_ROUTING
FORMAT = ms_strm_dev

But the data comes across with extra information, the event starts with <13> or some other two digit variable that the appliance does not seem to be expecting as well as the host name, which I am going to need them to parse to know where the event originated.

<13> EXCHANGE 03/04/2016 11:01:54 AM

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information

ComputerName=EXCHANGE.domain
TaskCategory=Logon
OpCode=Info
RecordNumber=251551525
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation

New Logon:
Security ID: domain\jdoe
Account Name: jdoe
Account Domain: domain
Logon ID: 0x91E86B45
Logon GUID: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name:

Source Network Address: 10.0.0.250
Source Port: 60790

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -

The appliance is apparently looking for the information following this regex:
(?:<(\d+)>\s?(\w{3} \d{2} \d{2}:\d{2}:\d{2}) (\S+) )?(\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}[AP]M)

I made the following regex that works
(?:<(\d+)>\s(?P\w+) (?P\d{2}\/\d{2}\/\d{4}) (?P\d{2}:\d{2}:\d{2}\ \w+))
But I don't think there is any way to change the regex the appliance uses.

I am using a Juniper JSA appliance, here is the manual, there is a Splunk section but it is not helpful, their document states to see the Splunk documentation

https://www.juniper.net/techpubs/en_US/jsa2014.4/information-products/topic-collections/jsa-configuring-dsm.pdf