Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Collecting Logs Windows Servers and Windows Domain Controllers

Codyy_Fast
Explorer
‎08-21-2023 02:42 PM

Hello all,

I need your help in analyzing my collected log data.

I have all of our Windows servers connected in Splunk using the Universal Forwarder. This includes the domain controllers as well. Only the security event log is transmitted. I have installed the Splunk Add-on for Microsoft Windows on the Splunk servers (Indexer, Searchead,).

I want to know about failed login attempts, account lockouts, as well as tampering with Local Administrator accounts.

If I now start a search query for example on Event ID 4625, I get thousandfold messages with field "host" where my domain controllers are inside. At "host" I want to see the really affected system.
For example my Splunk query looks like this:

index=Wineventlog sourcetype=wineventlog source::WinEventLog:Security (EventCode=4625 OR EventCode=4740)
| eval Benutzerkonto = coalesce(Kontoname, Account_Name)
| eval Meldung = coalesce(Fehlerursache, Failure_Reason)
| eval IP-Quelladresse = coalesce(Source_network_address, Quellnetzwerkadresse)
| table _time, ComputerName, Benutzerkonto, Meldung, IP-Quelladresse

(I merge german and english logentries).

I only want to know when someone tries to log in to the domain controller, locks his account there or hijacks the local admin on the domain controller. I do not want to see log entries of affected systems via the domain controllers.

Do you have a solution to the problem or even suggestions for improvement?

Thanks in advance.

Best regards
Codyy_Fast

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-21-2023 11:55 PM

Hi @Codyy_Fast,

using the table command you have all the (e.g.) 4625 events, you can also group them using the stats command:

index=Wineventlog sourcetype=wineventlog source::WinEventLog:Security (EventCode=4625 OR EventCode=4740)
| eval Benutzerkonto = coalesce(Kontoname, Account_Name)
| eval Meldung = coalesce(Fehlerursache, Failure_Reason)
| eval IP-Quelladresse = coalesce(Source_network_address, Quellnetzwerkadresse)
| stats 
   count 
   earliest(_time) AS earliest
   latest(_time) AS latest
   values(Benutzerkonto) AS Benutzerkonto
   values(Meldung) AS Meldung
   values(IP-Quelladresse) AS IP-Quelladresse
   BY ComputerName

but it depends on what are the requisites of yoru search, in other words: what do you want to find?

In addition, if possible don't use "-" or spaces in your field names, use "_" because Splunk translate it as the subtraction operator.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...