Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Collecting Logs Windows Servers and Windows Domain Controllers

Codyy_Fast
Explorer
‎08-21-2023 02:42 PM

Hello all,

I need your help in analyzing my collected log data.

I have all of our Windows servers connected in Splunk using the Universal Forwarder. This includes the domain controllers as well. Only the security event log is transmitted. I have installed the Splunk Add-on for Microsoft Windows on the Splunk servers (Indexer, Searchead,).

I want to know about failed login attempts, account lockouts, as well as tampering with Local Administrator accounts.

If I now start a search query for example on Event ID 4625, I get thousandfold messages with field "host" where my domain controllers are inside. At "host" I want to see the really affected system.
For example my Splunk query looks like this:

index=Wineventlog sourcetype=wineventlog source::WinEventLog:Security (EventCode=4625 OR EventCode=4740)
| eval Benutzerkonto = coalesce(Kontoname, Account_Name)
| eval Meldung = coalesce(Fehlerursache, Failure_Reason)
| eval IP-Quelladresse = coalesce(Source_network_address, Quellnetzwerkadresse)
| table _time, ComputerName, Benutzerkonto, Meldung, IP-Quelladresse

(I merge german and english logentries).

I only want to know when someone tries to log in to the domain controller, locks his account there or hijacks the local admin on the domain controller. I do not want to see log entries of affected systems via the domain controllers.

Do you have a solution to the problem or even suggestions for improvement?

Thanks in advance.

Best regards
Codyy_Fast

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-21-2023 11:55 PM

Hi @Codyy_Fast,

using the table command you have all the (e.g.) 4625 events, you can also group them using the stats command:

index=Wineventlog sourcetype=wineventlog source::WinEventLog:Security (EventCode=4625 OR EventCode=4740)
| eval Benutzerkonto = coalesce(Kontoname, Account_Name)
| eval Meldung = coalesce(Fehlerursache, Failure_Reason)
| eval IP-Quelladresse = coalesce(Source_network_address, Quellnetzwerkadresse)
| stats 
   count 
   earliest(_time) AS earliest
   latest(_time) AS latest
   values(Benutzerkonto) AS Benutzerkonto
   values(Meldung) AS Meldung
   values(IP-Quelladresse) AS IP-Quelladresse
   BY ComputerName

but it depends on what are the requisites of yoru search, in other words: what do you want to find?

In addition, if possible don't use "-" or spaces in your field names, use "_" because Splunk translate it as the subtraction operator.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top