I have a windows esxi server and installed splunk on this server and installed "Splunk Add-on for Windows" and created a local file in the Splunk folder and input.config is used Wineventlog is enabled and local event log is received in Splunk
this server installed "cyberark" also for client to access this esxi server using from "remote desktop connection"
Question:
-
Does my local esxi server splunk get an event log to get login details for someone to access my "remote desktop connection"?
-
my event log is currently receiving the local event log and there is no srcip and no port, ip address details and everything is empty
Maybe Splunk runs locally and gets a local event log, meaning it doesn't show any ip address and port or srcip sections in the g event?
-
I need to receive if someone accesses my machine from "remote desktop connection" then the event log I want to receive the IP address details is required, do I need to change any input.config to receive the address information IP correctly?
Should i create a stanza in input.config to receive the login event log in splunk ?like this example?
[WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational]
disabled = 0
index = wineventlog
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXML = false
or
[WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational]
disabled = 0
