Getting Data In

Collect Windows DNS and PowerShell logs with Splunk UF

SplunkExplorer
Contributor

Hi Splunkers, for a customer we are preforming a migration in Windows Logs collection: as suggested by some of you in another topic, we are passing from WMI method to UF one (and it is very, very, very - Have I already told "very"? - better). We encountered a difference with WMI we don't know how to solve, and here I am to ask your help.

First, a little recap of architecture: UF are installed on DC and then data are sent to an HF, which following forward data to a Splunk Cloud instance. So the flow is:

DCs with UF installed -> HF -> Splunk Cloud.

When we configured WMI, we selected the "classic" logs (Security, Application, System) plus DNS and PowerShell. In particular, our SOC is interested in DNS query logs.
When we installed the UF (with graphic wizard), we found only the "classic" options: Security, Application and System. 
If we want to collect also DNS query logs and PowerShell one, how can we achieve this using UF? I suspect we need to modify the inputs.conf file, but is my assumption correct? And if yes, how can I go on?

 

Labels (4)
0 Karma
1 Solution

GaetanVP
Contributor

Hello @SplunkExplorer,

Haha I am not a Windows expert either ! But yes the main question is : are we sure that the DNS logs go to a Windows Event channel (from what I read it should be the case) + what is the name of this Win Event channel (if you put a wrong name in the stanza of the inputs.conf file, no data will be forwarded).

If you can RDP to the DNS server, you can open the Windows Event Viewer and search that channel and retrieve its exact name.

But you got the point, once you have the channel name, just add a new stanza block in the inputs.conf file, just like you did for Powershell logs !

Good luck,

GaetanVP

View solution in original post

GaetanVP
Contributor

Hello @SplunkExplorer,

Indeed you're right, you can add some lines in the inputs.conf file to tell your Splunk UF to "Monitor more stuff".

More precisely, during the UF installation, Splunk should have created an application with an inputs.conf file that you can open and modified at this path :
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local

If you want to keep all your monitored files/channels in the same place, you can add the new configuration at the bottom of this file (otherwise you could have created a new app and create a new input.conf file)...


Nevermind, in order to monitor the powershell logs, you can simply add a new stanza with the following :

It will be very similar to the stanza that Splunk created during installation time, since all those type of logs can be retrieved from windows event channels (powershell is just another one, like system, application or security...)

[WinEventLog://Windows PowerShell]
checkpointInterval = 5
current_only = 1
disabled = 0
renderXml = 1
evt_resolve_ad_obj = 1

If you want detail of what is the purpose of each key, feel free to check the official inputs.conf doc : https://docs.splunk.com/Documentation/Splunk/9.0.5/Admin/Inputsconf

Do not forget to restart your Splunk UF (restart the service or use the "splunk restart" command) !

 

For DNS logs, I do not know if the logs are registered in a Win Event Channel... Or do you save the logs in a specific location ? This location could be monitored with the same inputs.conf file.

 

Hope it helps !

GaetanVP

SplunkExplorer
Contributor

Hi @GaetanVP , I collected the answer by customer and we got this: no particular configuration has been performed, except configure debugging and related archives in a network share:

SplunkExplorer_0-1689151648608.png

 

I'm not a great expert on Windows, but this should be only a copy for debugging purpose, so the normal flow should be a classic Win Event Channel, right? In such a case, a stanza with header:

 

[WinEventLog://Windows DNS Server]

 

 

and proper parameter should de fine, right?

 

0 Karma

GaetanVP
Contributor

Hello @SplunkExplorer,

Haha I am not a Windows expert either ! But yes the main question is : are we sure that the DNS logs go to a Windows Event channel (from what I read it should be the case) + what is the name of this Win Event channel (if you put a wrong name in the stanza of the inputs.conf file, no data will be forwarded).

If you can RDP to the DNS server, you can open the Windows Event Viewer and search that channel and retrieve its exact name.

But you got the point, once you have the channel name, just add a new stanza block in the inputs.conf file, just like you did for Powershell logs !

Good luck,

GaetanVP

SplunkExplorer
Contributor

Hi @GaetanVP, thanks a lot for your fast and kind answer.
Now it totally clear how to add PowerShell logs to collected ones!

Regarding your question on DNS, I don't know the answer; I mean, if your question is related to a config Microsoft side, I have no access to this data, cause customer hosts are on its Data Center and we do not manage the Domain Controller configuration. I have to check with our reference before give you an answer.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...