All Apps and Add-ons

what to log for Security

kgeil
Explorer

Hi, sorry for the novice question, but I currently have two main interests in Splunk. I would like to use both the PCI compliance app, and the Windows Security Operations Center app. Can anyone point me towards some articles which tell me what events I need to start logging in my windows domains to get the information I need? I have both a server 2003 domain, and a separate server 2008 domain.

Thanks,

Kevin

0 Karma

bojanz
Communicator

Hi kgeil,

The Windows Security Operations Center Splunk application uses Windows Event Log logs (mainly Security logs) to display everything. In order to create logs that you need (and you'll need same logs for your PCI DSS audits), make sure that at least the following configuration settings in your domain policy are present for all servers:

Security Settings - Local Policies/Audit Policy:

  • Audit account logon events: Success, Failure
  • Audit logon events: Success, Failure
  • Audit system events: Success, Failure
  • Audit account management: Success, Failure

Once you have these set up, the WSOC app will handle everything correctly for both Windows 2003 and Windows 2008 servers. The logs can even be mixed.

Also, the current version of the WSOC app requires that the logs are in the "windows" index (otherwise you'll have to modify the searches yourself).

Hopefully I'll find time to put up a new release soon that allows macros for indexes as well as couple of new things displayed.

Bojan

0 Karma

kgeil
Explorer

Thanks I-Man. That looks like a great place to start. I'm sure I'll be in touch with further questions. Thanks again,

Kevin

0 Karma

kgeil
Explorer

Thanks, any information on what specific events to record in say, the security logs?

Kevin

0 Karma

I-Man
Communicator

All of them. I do have a filter in place as i do not want to see when the Splunk account logs into hosts to grab the Windows logs.

Once you get all of the logs, you can then write reports for specific event codes, for instance a report that displays failed logins by username and host. I have found this site incredibly helpful:

http://www.ultimatewindowssecurity.com/securitylog/quickref/default.aspx

I-Man
Communicator

At the very least, you need Application, System, and Security Logs from all of your windows servers. Next you will want syslogs from your routers, switches, Firewalls, etc.

link:general info

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...