topic Re: Change auditor collect in Installation

Change auditor collect

ALLIACOM — Wed, 11 Jul 2018 12:06:55 GMT

hello every body ,

someone know how to configure splunk for collect change auditor logs please ?

Thansk in advance

Re: Change auditor collect

manish_singh_77 — Wed, 11 Jul 2018 12:17:29 GMT

Hi Alliacom,

Pls refer the below link for more information, let me know if it works for you.

http://docs.splunk.com/Documentation/Splunk/6.1.4/Security/AuditSplunkactivity

Re: Change auditor collect

ALLIACOM — Wed, 11 Jul 2018 12:31:15 GMT

Hi manish thank's for you answer but
i'm talking about dell change auditor logs and not splunk audit logs

Re: Change auditor collect

Richfez — Wed, 11 Jul 2018 12:45:07 GMT

I'd check your documentation - apparently there's a SIEM Integration Guide with a section on Integration with Splunk.

I'd need a login at the change auditor site in order to see the details (which you should have if you own the software), but the little that I see when I search their KBase tells me mostly what we need to know.

When searched for siem, https://support.quest.com/change-auditor/kb?k=siem, shows a couple of tidbits:

... to write Change Auditor audited events locally to a Windows event log.

And also

Select the subsystems to include in the subscription. Click Finish. For more information please see the "Managing a Splunk integration" section of the SIEM Integration Guide.

When you put those two together, I believe Change Auditor can record events into the Windows Event Log, and from there you can either collect them into Splunk via UF or WMI, or can use Event Log Forwarding (an MS thing) to move those logs to another system, from where you can collect them via UF or WMI.

But either way, that SIEM guide should get you started!

Happy Splunking!
-Rich

Re: Change auditor collect

manish_singh_77 — Wed, 11 Jul 2018 12:52:14 GMT

Oh I see....