Getting Data In

Collecting Logs Windows Servers and Windows Domain Controllers

Codyy_Fast
Explorer

Hello all,

I need your help in analyzing my collected log data.

I have all of our Windows servers connected in Splunk using the Universal Forwarder. This includes the domain controllers as well. Only the security event log is transmitted. I have installed the Splunk Add-on for Microsoft Windows on the Splunk servers (Indexer, Searchead,).

I want to know about failed login attempts, account lockouts, as well as tampering with Local Administrator accounts.

If I now start a search query for example on Event ID 4625, I get thousandfold messages with field "host" where my domain controllers are inside. At "host" I want to see the really affected system.
For example my Splunk query looks like this:

index=Wineventlog sourcetype=wineventlog source::WinEventLog:Security (EventCode=4625 OR EventCode=4740)
| eval Benutzerkonto = coalesce(Kontoname, Account_Name)
| eval Meldung = coalesce(Fehlerursache, Failure_Reason)
| eval IP-Quelladresse = coalesce(Source_network_address, Quellnetzwerkadresse)
| table _time, ComputerName, Benutzerkonto, Meldung, IP-Quelladresse

(I merge german and english logentries).

I only want to know when someone tries to log in to the domain controller, locks his account there or hijacks the local admin on the domain controller. I do not want to see log entries of affected systems via the domain controllers.

Do you have a solution to the problem or even suggestions for improvement?

Thanks in advance.

Best regards
Codyy_Fast

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Codyy_Fast,

using the table command you have all the (e.g.) 4625 events, you can also group them using the stats command:

index=Wineventlog sourcetype=wineventlog source::WinEventLog:Security (EventCode=4625 OR EventCode=4740)
| eval Benutzerkonto = coalesce(Kontoname, Account_Name)
| eval Meldung = coalesce(Fehlerursache, Failure_Reason)
| eval IP-Quelladresse = coalesce(Source_network_address, Quellnetzwerkadresse)
| stats 
   count 
   earliest(_time) AS earliest
   latest(_time) AS latest
   values(Benutzerkonto) AS Benutzerkonto
   values(Meldung) AS Meldung
   values(IP-Quelladresse) AS IP-Quelladresse
   BY ComputerName

but it depends on what are the requisites of yoru search, in other words: what do you want to find?

In addition, if possible don't use "-" or spaces in your field names, use "_" because Splunk translate it as the subtraction operator.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...