Getting Data In

How do I edit my configuration to index security event logs for Windows success/failed login and logout events?

amadmin
New Member

Hi,

I installed Splunk Enterprise to a single instance and am installing the Splunk Universal Forwarder.
The goal is to index only Windows security event logs of Windows login success, failed, and logout.

I have configured the PROPS file on the server as follows:

[default]

[csv]
CHECK_FOR_HEADER = false

[WinEventLog:Security]
# MODIFICARE: Filtro sugli gli eventi WinEventLog Security locali (server Splunk)
TRANSFORMS-wineventlog_security = SetNull, GetLocalWinAdmin

and TRANSFORMS:

[SetNull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[GetLocalWinAdmin]
# Filtro per prendere log(falliti e non) e logoff solo di tutti gli Admin (Win2000/3 e Win2008)
#REGEX =(?msi)EventCode=(?:5(?:28|29|3[0-8]|40)|46(?:24|25|34|47|48))\s
#REGEX =(?msi)EventCode=(?:5(?:29|3[0-7])|4625)|EventCode=(?:5(28|38|40)|46(?:24|34|47|48))\s+.+(?:(?:User|Account)\s+Name:|(?:Nome\s+(?:utente|account):))\s+(?:Admin|Administrator|user1|user2|user3)\s

source="WinEventLog:*"

on FORWARDER servers I configured the file inputs and outputs as follows:

INPUTS:

[WinEventLog://Security]
checkpointInterval = 5
disabled = 0
current_only = 1 
evt_resolve_ad_obj = 1
# start_from = newest
whitelist = 528,538,540,529,530,531,532,533,534,535,536,537,539,4624,4625,4634,4648,4672,4625,4771

OUTPUTS:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = SPLUNK.domain.local:9997

At present I have received some data source with 2:
WinEventLog: Application
WinEventLog: System

but not of WinEventLog: Security !!!! That is what I'm interested in.
I do not understand why it's not working. Can anyone help?

Thank you.

0 Karma

woodcock
Esteemed Legend

It appears that you are trying to do 2 levels of filtering.
The first level is whitelisting by EventCode. You have configured this correctly so that only EventCodes in the whitelist should be forwarded. If you keep my first answer (which was remove SetNull from the TRANSFORMS- line), then you will get no additional filtering and you will get some (the whitelisted) events. If you keep SetNull and would like to use it to do additional filtering, then you need to make sure that you use a RegEx that works to pull events back out of the nullQueue (the way you have it right now, it has no RegEx so it is as though it does not exist so all events go into the nullQueue and none are pulled back out).

0 Karma

amadmin
New Member

in your opinion what is the best way to index ONLY events security specified in INPUTS.conf and only for users defined by me?
you must also keep SetNull?

0 Karma

amadmin
New Member

thanks for the reply woodcock.
it is exactly like that, I want to do two levels of filtering.
the first whitelisting by EventCode now is OK, for the second filter I would keep SetNull. how can I make a RegEx suitable for this?

Thanks to all for any suggestion.

0 Karma

woodcock
Esteemed Legend

Take a look at my answer; just make sure that you are specifying a valid REGEX and it should work just fine. You will have to restart the Splunk instances on your Indexers, though, and it will only apply to events that are indexed after the restarts.

0 Karma

amadmin
New Member

I would like written on index Splunk only event from WinEventLog: // Security
whith EventCode 528,538,540,529,530,531,532,533,534,535,536,537,539,4624,4625,4634,4648,4672,4625,4711
in my case it is useful to use SetNull, and how?

0 Karma

woodcock
Esteemed Legend

If you only need to filter on EventCode, then you do not need anything in props.conf, not transforms.conf; your whitelist in inputs.conf should work just fine.

0 Karma

woodcock
Esteemed Legend

This stanza is broken:

[GetLocalWinAdmin]
# Filtro per prendere log(falliti e non) e logoff solo di tutti gli Admin (Win2000/3 e Win2008)
#REGEX =(?msi)EventCode=(?:5(?:28|29|3[0-8]|40)|46(?:24|25|34|47|48))\s
#REGEX =(?msi)EventCode=(?:5(?:29|3[0-7])|4625)|EventCode=(?:5(28|38|40)|46(?:24|34|47|48))\s+.+(?:(?:User|Account)\s+Name:|(?:Nome\s+(?:utente|account):))\s+(?:Admin|Administrator|user1|user2|user3)\s
source="WinEventLog:*"

Replace it with this (or similar; you may need to fix REGEX😞

[GetLocalWinAdmin]
REGEX=(?m)^EventCode=(?:5(?:28|29|3[0-8]|40)|46(?:24|25|34|47|48))\s
DEST_KEY=queue
FORMAT=indexQueue

P.S. Forget my first (wrong) answer (now deleted).

0 Karma

amadmin
New Member

because wrong?
thanks to the previous answer, now I get events WinEventLog: Security
but, I want to index only WinEventLog: Security

It could indicate TRANSFORMS.conf entire file? 🙂

thanks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...