All Apps and Add-ons

How to use Splunk to monitor failed logins and changes to files on network shares in Windows Event Logs Analysis?

dferreri
New Member

Hello, I am very new to Splunk and have been trying to learn about it through videos and reading. I am part of an IT Service company that provides support for small to medium-sized businesses. We are looking into using Splunk to monitor failed logins and changes to files on network shares. As far as I know, Splunk can do both of those things. We installed Splunk on our test server and I was able to set it up to search for the failed logins and it worked. The issue is that it only works right when I add the data. It is not pulling in any logs after I have added the data. What would we need to do to have it keep updating the logs? Also if someone could point me in the direction of where I could learn to setup file monitoring, I would be extremely grateful. Thank you.

0 Karma
1 Solution

kmorris_splunk
Splunk Employee
Splunk Employee

If you are trying to ingest Windows Event Logs locally, where you have installed Splunk, you can can set it up through the GUI. Take a look here under the section titled, "Use Splunk Web to configure event log monitoring".

If you want to ingest Windows Event Logs from a remote Windows machine, you will need to install a Universal Forwarder to collect and forward the data to your Splunk indexers. On the Windows version of the forwarder, it will prompt you for what you would like to monitor during installation (System, Security, Application logs, performance metrics). In this case, you will need to make sure of a few things:

  • There are no firewalls blocking communication between the forwarder and the indexers.
  • You need to configure Splunk to listen on port 9997 (default). see here

As for file monitoring, you can take a look here at the docs. This is a deprecated functionality, meaning, it still works, but could potentially go away in future versions of Splunk Enterprise.

View solution in original post

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

If you are trying to ingest Windows Event Logs locally, where you have installed Splunk, you can can set it up through the GUI. Take a look here under the section titled, "Use Splunk Web to configure event log monitoring".

If you want to ingest Windows Event Logs from a remote Windows machine, you will need to install a Universal Forwarder to collect and forward the data to your Splunk indexers. On the Windows version of the forwarder, it will prompt you for what you would like to monitor during installation (System, Security, Application logs, performance metrics). In this case, you will need to make sure of a few things:

  • There are no firewalls blocking communication between the forwarder and the indexers.
  • You need to configure Splunk to listen on port 9997 (default). see here

As for file monitoring, you can take a look here at the docs. This is a deprecated functionality, meaning, it still works, but could potentially go away in future versions of Splunk Enterprise.

0 Karma

dferreri
New Member

Thank you for the help. I will look into the things you posted here for me and report back if I have any more questions. I appreciate it!

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...