Re: How to turn on WinEventLog:Security logs only ...

pramit46 · ‎12-03-2015

Due to license limitations, I cannot turn on the security logs for all the Windows Domain Controllers, except for some crucial ones. How can I achieve that?

As part of my PoC with only one server, I tried the following in my inputs.conf:

inputs.conf

[host::<[Hard Coded Server Name]>]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = wineventlog
sourcetype = WinEventLog:Security

Which did not work. I also tried to use following props & transforms setting, which did not help either:

props.conf

[WinEventLog:Security]
TRANSFORMS-selectedserver = setnull, selectedServers

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullqueue

[selectedServers]
REGEX = <[Hard Coded Server Name]>
DEST_KEY = queue
FORMAT = indexqueue

I also tried to whitelist the servers in the serverclass.conf which went in vain.

Any suggestions?
Please let me know if you need any more information to understand my problem..

Runals · ‎12-03-2015

Is part of the issue you have agents on several DCs but need to scale back? I'd shut off the agents on the DCs you don't want to have data sent from. If there is a Splunk Deployment Server setup as part of your PoC then there are some options (ie push an 'app' that disables getting the Security logs but allows you to still get the System/Application logs)

pramit46 · ‎12-03-2015

I have done something similar to what you are suggesting. I have disabled the security sourcetype in the windows app, which restricts the security logs from all the hosts, right now. But then, I need to enable that for some set of servers (e.g.: XXX01-XXX10). That is where I am stuck. How do I filter these hosts? I tried creating a new app which would only have the above inputs.conf (I also included the transforms and props) then whitelisted the DCs in the serverclass.conf for that particular app. Still no luck!!

javiergn · ‎12-03-2015

I would take a slightly different approach and use the Windows event log forwarding to send all the Security logs from the DCs you want to monitor to the local Splunk Enterprise server running your PoC. Then your Splunk instance can easily collect all the event logs locally without having to use WMI or any other remote collection.

Alternatively, simply install Universal Forwarders in the DCs you want to monitor and send that to your Indexer/Search Head.

javiergn · ‎12-03-2015

Forgot to mention that I'm assuming you are running your Splunk Enterprise on Windows.
If that's not the case, then install local Universal Forwarders in your Domain Controllers and forward that to your Splunk instance.

pramit46 · ‎12-03-2015

I am using the app, but I'm little confused with your approach. How do I ensure that only those hosts are pushing the security logs? That is where I am facing issues.
I'm collecting all the events for other type of wineventlog sourcetypes (system, application etc.), but only for security logs, I want to filter based on hosts as it will consume large amount of license.

javiergn · ‎12-03-2015

If you use the built-in Windows Event Log Forwarding you can specify what servers will forward logs where.
This is completely outside of Splunk.

For instance, let's assume your Windows server XYZ is the one running Splunk Enterprise and the domain controllers you want the security logs from are DC1 and DC2. You will then configure event log forwarding on DC1 and DC2 to XYZ and then read all the logs locally from XYZ.

Does that make more sense?

Alternatively, simply install universal forwarders on DC1 and DC2 and tell them to send the security logs to XYZ.

How to turn on WinEventLog:Security logs only for certain Domain Controller(s)

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!