All Apps and Add-ons

look elsewhere for data

tnorth42
Explorer

The searches in security splunk essentials point to a default source of wineventlog:security, can we change to point to a different source or index?

David
Splunk Employee
Splunk Employee

Yes (ish)! Assuming you're running Version 2.0.0 (released yesterday), you can turn on Advanced SPL mode (click the "Show SPL" link to access) to manually change the criteria for any given search you're looking at. Every search should be using index=*, so you shouldn't need to worry about the index itself. (If there are any exceptions, I'll get them fixed in the next bug release.)

If you want to change it on a global level (e.g., "we always use sourcetype=abc for our Windows Security Logs") then I actually do have some thoughts of maybe being able to support that in the future, but it's probably still a ways out -- first I've got to get through the things I wasn't able to fit into my 2.0.0 release timeline. There is a workaround though: you can edit the json files in /components/data/sampleSearches/*.json to specify your alternate sourcetype.. it will be overwritten at the next upgrade, but it's a workaround for now.

I would be curious to know the specifics of what sourcetypes you have for Windows Security logs that are not wineventlog:security. If it's xmlwineventlog:security -- that one I'm definitely going to fix in the relatively near future. If it's something else entirely, I'd love to hear what you're doing. (I can email you directly as well, if you'd prefer.)

0 Karma

smallfry
Explorer

Hey David. First of all, thanks for the App. It's very useful. I tried v2.2.0 of the app but realized that we need to edit the json files. For instance, the firewall logs by default is for Palo Alto while we are using a mixture of Cisco and Fortinet. If you next release can incorporate a set up or settings interface, it woud be perfect!

0 Karma

tnorth42
Explorer

Thank you!

0 Karma

tnorth42
Explorer

Awesome, we just installed 2.0 today. We will edit the json as suggested above. We have a subscription pushed out through GPO to all of our windows systems that send their data to 2 windows event collectors, from there we are utilizing splunk universal forwarder and all events are coming in with source="WinEventLog:ForwardedEvents".

0 Karma

David
Splunk Employee
Splunk Employee

Ahhh, interesting! That wasn't on my roadmap, but as I sketch out the design for that feature, I'll make sure forwardedevents are in scope.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...