Hi, sorry for the novice question, but I currently have two main interests in Splunk. I would like to use both the PCI compliance app, and the Windows Security Operations Center app. Can anyone point me towards some articles which tell me what events I need to start logging in my windows domains to get the information I need? I have both a server 2003 domain, and a separate server 2008 domain.
The Windows Security Operations Center Splunk application uses Windows Event Log logs (mainly Security logs) to display everything. In order to create logs that you need (and you'll need same logs for your PCI DSS audits), make sure that at least the following configuration settings in your domain policy are present for all servers:
Security Settings - Local Policies/Audit Policy:
Once you have these set up, the WSOC app will handle everything correctly for both Windows 2003 and Windows 2008 servers. The logs can even be mixed.
Also, the current version of the WSOC app requires that the logs are in the "windows" index (otherwise you'll have to modify the searches yourself).
Hopefully I'll find time to put up a new release soon that allows macros for indexes as well as couple of new things displayed.
All of them. I do have a filter in place as i do not want to see when the Splunk account logs into hosts to grab the Windows logs.
Once you get all of the logs, you can then write reports for specific event codes, for instance a report that displays failed logins by username and host. I have found this site incredibly helpful: