Getting Data In

How to index and forward all Windows Security events?

agarrison
Path Finder

I can't find anything that quite matches what I am trying to do.
We have a security device that can ingest Windows Security logs from Splunk, it would be much easier than installing a second forwarder for the security appliance itself.

I cannot find what I would need to index sourcetype="WinEventLog:Security" as well as forward it to an additional server.

I have tried several implementations on here, but the whole props, transforms, outputs, inputs config file setup is not very intuitive.

0 Karma

agarrison
Path Finder

I have looked at all of those links before posting, Here is the config that I have

transforms.conf
[sent_to_strm]
DEST_KEY = _SYSLOG_ROUTING
FORMAT= strm_server

props.conf
[WinEventLog:Security]
TRANSFORMS-strm = sent_to_strm

outputs.conf

[syslog:strm_server]
server=10.0.250.50:514
indexAndForward=true
sendCookedData=false

      If I add type=tcp to the outputs it will not send, but the appliance is listening for a "TCP multiline event" from splunk and ignores the data if it is UDP
0 Karma

agarrison
Path Finder

Running a Wireshark capture I do not see anything forwarded after I add the type=tcp, but I get events without it. I'm not sure If I need to use _TCP_ROUTING? but When I tried to set that up I do not think I set it up right either since I got nothing.

0 Karma

agarrison
Path Finder

I got it working using:
outputs.conf
[syslog:ms_strm_dev]
server = 10.164.4.200:12468
type = tcp

props.conf
[syslog]
TRANSFORMS-routing = win_strm, win_index, FilterSecurityEvents, trunkEventDesc1, trunkEventDesc2, UserFilter, LogonFilter

transforms.conf
[win_index]
REGEX = ^(\d\d)\/(\d\d)\/(\d\d\d\d)\s(\d\d):(\d\d):(\d\d)\s\w\w
FORMAT = TimeGenerated::$2/$1/$3 $4
DEST_KEY = queue
FORMAT = indexQueue
[win_strm]
REGEX = EventCode=
DEST_KEY = _SYSLOG_ROUTING
FORMAT = ms_strm_dev

But the data comes across with extra information, the event starts with <13> or some other two digit variable that the appliance does not seem to be expecting as well as the host name, which I am going to need them to parse to know where the event originated.

<13> EXCHANGE 03/04/2016 11:01:54 AM

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information

ComputerName=EXCHANGE.domain
TaskCategory=Logon
OpCode=Info
RecordNumber=251551525
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation

New Logon:
Security ID: domain\jdoe
Account Name: jdoe
Account Domain: domain
Logon ID: 0x91E86B45
Logon GUID: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name:

Source Network Address: 10.0.0.250
Source Port: 60790

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -

The appliance is apparently looking for the information following this regex:
(?:<(\d+)>\s?(\w{3} \d{2} \d{2}:\d{2}:\d{2}) (\S+) )?(\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}[AP]M)

I made the following regex that works
(?:<(\d+)>\s(?P\w+) (?P\d{2}\/\d{2}\/\d{4}) (?P\d{2}:\d{2}:\d{2}\ \w+))
But I don't think there is any way to change the regex the appliance uses.

I am using a Juniper JSA appliance, here is the manual, there is a Splunk section but it is not helpful, their document states to see the Splunk documentation

https://www.juniper.net/techpubs/en_US/jsa2014.4/information-products/topic-collections/jsa-configur...

0 Karma

muebel
SplunkTrust
SplunkTrust

Hi agarrison, do you have any heavy-forwarders, or do all of the universal forwarders send straight to the indexer(s)?

0 Karma

agarrison
Path Finder

all of the servers have the Universal forwarder installed going to the splunk indexer. I want to just forward from the indexer so I am not collecting the information twice

0 Karma

muebel
SplunkTrust
SplunkTrust

Hi agarrison, I've got some questions, but here is a provisional answer. If this is possible, it's outlined here: http://docs.splunk.com/Documentation/Splunk/6.3.3/Forwarding/Routeandfilterdatad

0 Karma

gfreitas
Builder
0 Karma

agarrison
Path Finder

I have tried Syslog routing and TCP routing and have not managed to get the windows security events to forward as a syslog event either way. any help would be appreciated.

0 Karma

agarrison
Path Finder

The events need to be forwarded using TCP, I can get them out using UDP, but when I enter type=tcp in the outputs.conf it stops sending.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...