topic Re: How do I edit my configuration to index security event logs for Windows success/failed login and logout events? in Getting Data In

How do I edit my configuration to index security event logs for Windows success/failed login and logout events?

amadmin — Tue, 20 Oct 2015 11:31:13 GMT

Hi,

I installed Splunk Enterprise to a single instance and am installing the Splunk Universal Forwarder.
The goal is to index only Windows security event logs of Windows login success, failed, and logout.

I have configured the PROPS file on the server as follows:

[default]

[csv]
CHECK_FOR_HEADER = false

[WinEventLog:Security]
# MODIFICARE: Filtro sugli gli eventi WinEventLog Security locali (server Splunk)
TRANSFORMS-wineventlog_security = SetNull, GetLocalWinAdmin

and TRANSFORMS:

[SetNull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[GetLocalWinAdmin]
# Filtro per prendere log(falliti e non) e logoff solo di tutti gli Admin (Win2000/3 e Win2008)
#REGEX =(?msi)EventCode=(?:5(?:28|29|3[0-8]|40)|46(?:24|25|34|47|48))\s
#REGEX =(?msi)EventCode=(?:5(?:29|3[0-7])|4625)|EventCode=(?:5(28|38|40)|46(?:24|34|47|48))\s+.+(?:(?:User|Account)\s+Name:|(?:Nome\s+(?:utente|account):))\s+(?:Admin|Administrator|user1|user2|user3)\s

source="WinEventLog:*"

on FORWARDER servers I configured the file inputs and outputs as follows:

INPUTS:

[WinEventLog://Security]
checkpointInterval = 5
disabled = 0
current_only = 1 
evt_resolve_ad_obj = 1
# start_from = newest
whitelist = 528,538,540,529,530,531,532,533,534,535,536,537,539,4624,4625,4634,4648,4672,4625,4771

OUTPUTS:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = SPLUNK.domain.local:9997

At present I have received some data source with 2:
WinEventLog: Application
WinEventLog: System

but not of WinEventLog: Security !!!! That is what I'm interested in.
I do not understand why it's not working. Can anyone help?

Thank you.

Re: How do I edit my configuration to index security event logs for Windows success/failed login and logout events?

woodcock — Fri, 30 Oct 2015 16:56:16 GMT

This stanza is broken:

[GetLocalWinAdmin]
# Filtro per prendere log(falliti e non) e logoff solo di tutti gli Admin (Win2000/3 e Win2008)
#REGEX =(?msi)EventCode=(?:5(?:28|29|3[0-8]|40)|46(?:24|25|34|47|48))\s
#REGEX =(?msi)EventCode=(?:5(?:29|3[0-7])|4625)|EventCode=(?:5(28|38|40)|46(?:24|34|47|48))\s+.+(?:(?:User|Account)\s+Name:|(?:Nome\s+(?:utente|account):))\s+(?:Admin|Administrator|user1|user2|user3)\s
source="WinEventLog:*"

Replace it with this (or similar; you may need to fix REGEX😞

[GetLocalWinAdmin]
REGEX=(?m)^EventCode=(?:5(?:28|29|3[0-8]|40)|46(?:24|25|34|47|48))\s
DEST_KEY=queue
FORMAT=indexQueue

P.S. Forget my first (wrong) answer (now deleted).

Re: How do I edit my configuration to index security event logs for Windows success/failed login and logout events?

amadmin — Mon, 02 Nov 2015 10:35:22 GMT

because wrong?
thanks to the previous answer, now I get events WinEventLog: Security
but, I want to index only WinEventLog: Security

It could indicate TRANSFORMS.conf entire file? 🙂

thanks

Re: How do I edit my configuration to index security event logs for Windows success/failed login and logout events?

woodcock — Tue, 03 Nov 2015 00:11:31 GMT

It appears that you are trying to do 2 levels of filtering.
The first level is whitelisting by EventCode. You have configured this correctly so that only EventCodes in the whitelist should be forwarded. If you keep my first answer (which was remove SetNull from the TRANSFORMS- line), then you will get no additional filtering and you will get some (the whitelisted) events. If you keep SetNull and would like to use it to do additional filtering, then you need to make sure that you use a RegEx that works to pull events back out of the nullQueue (the way you have it right now, it has no RegEx so it is as though it does not exist so all events go into the nullQueue and none are pulled back out).

Re: How do I edit my configuration to index security event logs for Windows success/failed login and logout events?

amadmin — Tue, 03 Nov 2015 14:09:29 GMT

thanks for the reply woodcock.
it is exactly like that, I want to do two levels of filtering.
the first whitelisting by EventCode now is OK, for the second filter I would keep SetNull. how can I make a RegEx suitable for this?

Thanks to all for any suggestion.

Re: How do I edit my configuration to index security event logs for Windows success/failed login and logout events?

woodcock — Tue, 03 Nov 2015 14:27:14 GMT

Take a look at my answer; just make sure that you are specifying a valid REGEX and it should work just fine. You will have to restart the Splunk instances on your Indexers, though, and it will only apply to events that are indexed after the restarts.

Re: How do I edit my configuration to index security event logs for Windows success/failed login and logout events?

amadmin — Thu, 05 Nov 2015 15:49:10 GMT

in your opinion what is the best way to index ONLY events security specified in INPUTS.conf and only for users defined by me?
you must also keep SetNull?

Re: How do I edit my configuration to index security event logs for Windows success/failed login and logout events?

amadmin — Fri, 06 Nov 2015 17:03:48 GMT

I would like written on index Splunk only event from WinEventLog: // Security
whith EventCode 528,538,540,529,530,531,532,533,534,535,536,537,539,4624,4625,4634,4648,4672,4625,4711
in my case it is useful to use SetNull, and how?

Re: How do I edit my configuration to index security event logs for Windows success/failed login and logout events?

woodcock — Sat, 07 Nov 2015 04:10:07 GMT

If you only need to filter on EventCode, then you do not need anything in props.conf, not transforms.conf; your whitelist in inputs.conf should work just fine.