All Apps and Add-ons

How to use Splunk to monitor failed logins and changes to files on network shares in Windows Event Logs Analysis?

New Member

Hello, I am very new to Splunk and have been trying to learn about it through videos and reading. I am part of an IT Service company that provides support for small to medium-sized businesses. We are looking into using Splunk to monitor failed logins and changes to files on network shares. As far as I know, Splunk can do both of those things. We installed Splunk on our test server and I was able to set it up to search for the failed logins and it worked. The issue is that it only works right when I add the data. It is not pulling in any logs after I have added the data. What would we need to do to have it keep updating the logs? Also if someone could point me in the direction of where I could learn to setup file monitoring, I would be extremely grateful. Thank you.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

If you are trying to ingest Windows Event Logs locally, where you have installed Splunk, you can can set it up through the GUI. Take a look here under the section titled, "Use Splunk Web to configure event log monitoring".

If you want to ingest Windows Event Logs from a remote Windows machine, you will need to install a Universal Forwarder to collect and forward the data to your Splunk indexers. On the Windows version of the forwarder, it will prompt you for what you would like to monitor during installation (System, Security, Application logs, performance metrics). In this case, you will need to make sure of a few things:

  • There are no firewalls blocking communication between the forwarder and the indexers.
  • You need to configure Splunk to listen on port 9997 (default). see here

As for file monitoring, you can take a look here at the docs. This is a deprecated functionality, meaning, it still works, but could potentially go away in future versions of Splunk Enterprise.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

If you are trying to ingest Windows Event Logs locally, where you have installed Splunk, you can can set it up through the GUI. Take a look here under the section titled, "Use Splunk Web to configure event log monitoring".

If you want to ingest Windows Event Logs from a remote Windows machine, you will need to install a Universal Forwarder to collect and forward the data to your Splunk indexers. On the Windows version of the forwarder, it will prompt you for what you would like to monitor during installation (System, Security, Application logs, performance metrics). In this case, you will need to make sure of a few things:

  • There are no firewalls blocking communication between the forwarder and the indexers.
  • You need to configure Splunk to listen on port 9997 (default). see here

As for file monitoring, you can take a look here at the docs. This is a deprecated functionality, meaning, it still works, but could potentially go away in future versions of Splunk Enterprise.

View solution in original post

0 Karma

New Member

Thank you for the help. I will look into the things you posted here for me and report back if I have any more questions. I appreciate it!

0 Karma