Hello,
Excuse my lack of expertise with Splunk. Could you please let me know how i can track when a specific user logon and logoff from the computer? I am using a universal forwarder to the dc only for the security logs. I can see that i have inside splunk server a lot of events. So it must be working.
Thank you
how about security essentials?
Hi @gntavelis,
if you have DC logs, surely you have the following EventCodes that are related to Login, Logout and LogFail:
Login 4624, logFail 4625, LogOut 4634.
So you can search something like this:
index=wineventlog (EventCode=4625 OR EventCode=4625 OR EventCode=4634
| table _time user EventCode EventCodeDescription
Ciao.
Giuseppe
Problems...
I am using the trial (free) version of splunk and due to the number of events i think i violated the license.
Is there a way to forward specific events from the domain controller to splunk? Maybe by using a subscription on the event viewer? Now i am using splunk universal forwarder that is installed on the domain controller and i do have the option to select only the security logs but i dont have the option to select specific events....
Please help
Thank you
Hi @gntavelis,
you can filter events in the Universal Forwarder.
In inputs.con on the Domain Controller:
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = EventCode\=4624|4634|4625
index = wineventlog
renderXml=false
Ciao.
Giuseppe
Hello Giuseppe! Thank you for your answer...
I searched inside the splunk universal forwarder directory and there is a directory with name input and lets say 6 or 7 inputs.conf files. could you please tell me which conf file i have to edit?
image: https://imgur.com/XynPDRa
Hi @gntavelis,
inputs.conf usually is in $SPLUNK_HOME/etc/apps/your_TA/local
probably, the TA's name is TA_Windows
, so open your $SPLUNK_HOME/etc/apps/TA_Windows/local/inputs.conf
;
you should find the stanza [WinEventLog://Security]
;
in this stanza add the whitelist = EventCode\=4624|4634|4625
row and restart Splunk.
If you have many Universal Forwarder, probably you're managing them using a Deployment Server, in this case, you have to modify the TA_Windows on Deployment Server, not directly on Universal Forwarders.
Ciao.
Giuseppe
Giuseppe thank you very much for your reply.
Where i must copy paste the SPL statement? On the search box?
if yes i am getting the following errors:
Error in 'search' command: Unable to parse the search: unbalanced parentheses.
The search job has failed due to an error. You may be able view the job in the Job Inspector.
Hi @gntavelis,
Sorry! I forgot the second parenthesis!
index=wineventlog (EventCode=4625 OR EventCode=4625 OR EventCode=4634)
| table _time user EventCode EventCodeDescription
Then you can save this search in a report or in a dashboard panel.
Only one attention: in Windows an access to the system generates many login events, so this could seem that your user accessed the system many times more than the reality, you should filter events dedupping the events for _time user and host.
Ciao.
Giuseppe
Hi gntavelis,
try this on your search head:
index=wineventlog (EventCode=4625 OR EventCode=4625 OR EventCode=4634)
| table _time user EventCode EventCodeDescription
the original post was missing a )
in the SPL.
cheers, MuS