Has anyone ever installed the Netwrix addon in Splunk? Having a bit of trouble with how to do so.
yes, I've configured the netwrix powerhsll script to be executed as a scheduled task .
- also enabled the API on Netwrix ( see settings, API)
- configured splunk UFW to collect the windows event log netwrix_integration_bla_bla
what is the blocking point for you?
We were able to create a deployment app on our Heavy Forwarder, created a serverclass as well, and customized the inputs.conf to grab the Winevent logs. However, the client stated that they were only receiving general audit information that showed who logged in, etc but didn't receive the actual log information.
This is the link we used to assist.
who logged in... where ? on Netwrix ? on Windows/AD ?
there are 3 Netwrix generated eventlogs on Windows
[WinEventLog://Netwrix Auditor] - > this is the same EventLog that you can see in Netwrix interface regarding events related to data collection etc
[WinEventLog://Netwrix Auditor Security] - > this is containing Netwrix on Netwrix audit, that is who has started Netwrix, what changes were done in the Netwrix interface, etc. Netwrix Auditor Self-audit let's say. I suppose this is what you're describing as currently collected.
[WinEventLog://Netwrix_Auditor_Integration] - > this is what you're after. It should have this format:
I'll add the [WinEventLog://Netwrix Auditor] and [WinEventLog://Netwrix_Auditor_Integration] stanzas as well and see what we're able to pull.
My apologies, it was the Netwrix Auditor Security I was referring to.
well, collect the other eventlog and maybe that will solve your problem ?
can you provide a link to that addon, I'm not able to find it on splunkbase.
or perhaps you're talking about the netwrix addon for splunk which is a powershell script that is writing netwrix events to windows event log so that splunk ufw can collect it ?
There is no Splunkbase TA. I'm referring to the Netwrix addon for Splunk which is a PowerShell script.