Getting Data In

Is it possible for Windows event logs to be flagged up on the Active Directory and passed to a Splunk server via universal forwarder?

Path Finder

I have been assigned with the task of implementing Splunk on my company network. I have Syslog communication with my server with no problems, but I would like to have my Windows devices communicating to Splunk.

Using the Universal Forwarder on my Active Directory server will show changes to the Active Directory config. However, my ultimate aim is to show logs from all the Windows devices on my network.

As an example, I would like to determine whether one of the Users or Computers in my domain has changed their Windows Firewall settings, or whether they have locked their account. I have installed the Universal Forwarder on my AD, and have also set up a Group Policy Object to audit events based upon what I need. My results so far is that only changes to my AD are being logged, such as the creation of a new OU, GPO or User.

Is there any possibility for my Windows Events to be flagged up on the AD and passed to my Splunk Server through the forwarder?
Additionally, does the server running Splunk have to reside on the same domain as the AD and Windows Devices?

0 Karma

Contributor

You can use event log forwarding to send the events from all Windows devices to one server. Then you can install a Splunk forwarder on that server to collect the events.

http://blogs.splunk.com/2014/02/03/forwarding-windows-event-logs-to-another-host/

0 Karma