Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible for Windows event logs to be flagged up on the Active Directory and passed to a Splunk server via universal forwarder?

SecureIA
Path Finder
‎11-10-2015 05:15 AM

I have been assigned with the task of implementing Splunk on my company network. I have Syslog communication with my server with no problems, but I would like to have my Windows devices communicating to Splunk.

Using the Universal Forwarder on my Active Directory server will show changes to the Active Directory config. However, my ultimate aim is to show logs from all the Windows devices on my network.

As an example, I would like to determine whether one of the Users or Computers in my domain has changed their Windows Firewall settings, or whether they have locked their account. I have installed the Universal Forwarder on my AD, and have also set up a Group Policy Object to audit events based upon what I need. My results so far is that only changes to my AD are being logged, such as the creation of a new OU, GPO or User.

Is there any possibility for my Windows Events to be flagged up on the AD and passed to my Splunk Server through the forwarder?
Additionally, does the server running Splunk have to reside on the same domain as the AD and Windows Devices?

0 Karma
Reply

spayneort
Contributor
‎11-14-2015 02:49 PM

You can use event log forwarding to send the events from all Windows devices to one server. Then you can install a Splunk forwarder on that server to collect the events.

http://blogs.splunk.com/2014/02/03/forwarding-windows-event-logs-to-another-host/

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...