- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- what to log for Security
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what to log for Security
Hi, sorry for the novice question, but I currently have two main interests in Splunk. I would like to use both the PCI compliance app, and the Windows Security Operations Center app. Can anyone point me towards some articles which tell me what events I need to start logging in my windows domains to get the information I need? I have both a server 2003 domain, and a separate server 2008 domain.
Thanks,
Kevin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kgeil,
The Windows Security Operations Center Splunk application uses Windows Event Log logs (mainly Security logs) to display everything. In order to create logs that you need (and you'll need same logs for your PCI DSS audits), make sure that at least the following configuration settings in your domain policy are present for all servers:
Security Settings - Local Policies/Audit Policy:
- Audit account logon events: Success, Failure
- Audit logon events: Success, Failure
- Audit system events: Success, Failure
- Audit account management: Success, Failure
Once you have these set up, the WSOC app will handle everything correctly for both Windows 2003 and Windows 2008 servers. The logs can even be mixed.
Also, the current version of the WSOC app requires that the logs are in the "windows" index (otherwise you'll have to modify the searches yourself).
Hopefully I'll find time to put up a new release soon that allows macros for indexes as well as couple of new things displayed.
Bojan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks I-Man. That looks like a great place to start. I'm sure I'll be in touch with further questions. Thanks again,
Kevin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, any information on what specific events to record in say, the security logs?
Kevin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All of them. I do have a filter in place as i do not want to see when the Splunk account logs into hosts to grab the Windows logs.
Once you get all of the logs, you can then write reports for specific event codes, for instance a report that displays failed logins by username and host. I have found this site incredibly helpful:
http://www.ultimatewindowssecurity.com/securitylog/quickref/default.aspx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
At the very least, you need Application, System, and Security Logs from all of your windows servers. Next you will want syslogs from your routers, switches, Firewalls, etc.
link:general info
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
