All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Logs not coming from Windows Defender

test_qweqwe
Builder
‎01-13-2018 07:36 AM

Hi
I have running Windows Defender and want to collect logs to Splunk.

  1. Windows Defender that running on my host Windows 10 Enterprise LTSB;
  2. Splunk 7.0 that collect logs local from my host;
  3. TA for Microsoft Windows Dedender;

Logs not collected.
What should I do to fix it? I have no idea.

0 Karma
Reply

mjeffery_splunk
Splunk Employee
Splunk Employee
‎01-13-2018 07:50 AM

Did you deploy the add-on to the Windows host you wish to get the logs from?

Ideally, you would do this from the Forwarder Manager (Settings->Forwarder Management).
Copy the add-on from $SPLUNK/etc/apps to $SPLUNK/etc/deploy-apps.
Create a new folder "local" in $SPLUNK/etc/deploy-apps//
Copy the inputs.conf from the "default" folder to "local" (the one you just created)
Change "disabled = true" to "disabled = false"

Verify that the TA_microsoft-windefender folder is on the host you wish to get that data from and then you should be good to go.

Restart the forwarder service (services.msc) for good measure.

0 Karma
Reply

test_qweqwe
Builder
‎01-13-2018 07:55 AM

I did it all and it's not helped.

0 Karma
Reply

mjeffery_splunk
Splunk Employee
Splunk Employee
‎01-13-2018 01:42 PM

Bring up the Event Viewer on the Windows box you're trying to get those logs from and verify that it is indeed logging the events under "Applications and Services Logs"

0 Karma
Reply

test_qweqwe
Builder
‎01-13-2018 01:57 PM

So, if i generating new event (downloaded poor virus that windefender detect) it's sends logs. One problem is resolved \o/

But another problem, how to collect all logs from Windefender?
Not only new. All from beginning to now. And yes in Event Viewer in Microsoft-Windows-Windows Defender/Operational there are many logs.

0 Karma
Reply

test_qweqwe
Builder
‎01-13-2018 02:10 PM

My config

[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = windefender
disabled = false
start_from = oldest
current_only = 0
renderXml = 1
0 Karma
Reply

pdoconnell
Path Finder
‎01-13-2018 03:23 PM

This works for me:
[WinEventLog://Microsoft-Windows-Windows Defender/Operational]
index = windefender
disabled = false
renderXml = 1

I confirm logs coming into Splunk for index=windefender with that input. Confirm that your Windows Defender log location is correct for your system.

0 Karma
Reply

test_qweqwe
Builder
‎01-13-2018 03:28 PM

Hi!
In my previous comment I said that logs coming, but only new. I need historical (old) and new logs.

0 Karma
Reply

pdoconnell
Path Finder
‎01-13-2018 03:38 PM

It looks like the start_from and current_only stanzas dont appear anymore in the inputs.conf definition. Maybe it is no longer supported?

0 Karma
Reply

test_qweqwe
Builder
‎01-13-2018 05:43 PM

Maybe, but how me collect all logs of windefender that i have on my PC? 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...