Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Netwrix TA

Okezie1
Explorer
‎10-26-2021 09:58 AM

Has anyone ever installed the Netwrix addon in Splunk? Having a bit of trouble with how to do so. 

Labels (1)
Labels
0 Karma
Reply

acadea
Explorer
‎11-19-2021 06:49 AM

yes, I've configured the netwrix powerhsll script to be executed as a scheduled task . 
- also enabled the API on Netwrix ( see settings, API)
- configured splunk UFW to collect the windows event log netwrix_integration_bla_bla

what is the blocking point for you?

0 Karma
Reply

Okezie1
Explorer
‎11-19-2021 06:54 AM

We were able to create a deployment app on our Heavy Forwarder, created a serverclass as well,  and customized the inputs.conf to grab the Winevent logs. However, the client stated that they were only receiving general audit information that showed who logged in, etc but didn't receive the actual log information.

 

https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/MonitorWindowseventlogdata#Monitor_Win...

 

This is the link we used to assist. 

0 Karma
Reply

acadea
Explorer
‎11-19-2021 07:22 AM

who logged in... where ? on Netwrix ? on Windows/AD ?

there are 3 Netwrix generated eventlogs on Windows

[WinEventLog://Netwrix Auditor] - > this is the same EventLog that you can see in Netwrix interface regarding events related to data collection etc

[WinEventLog://Netwrix Auditor Security] - > this is containing Netwrix on Netwrix audit, that is who has started Netwrix, what changes were done in the Netwrix interface, etc. Netwrix Auditor Self-audit let's say. I suppose this is what you're describing as currently collected.

[WinEventLog://Netwrix_Auditor_Integration] - > this is what you're after. It should have this format:

08/24/2021 09:56:37 AM
LogName=Netwrix_Auditor_Integration
SourceName=Netwrix_Auditor_Integration_API
EventCode=35940
EventType=4
Type=Information
ComputerName=srv-01
TaskCategory=492
OpCode=Info
RecordNumber=41188878
Keywords=Classic
Message=
DataSource : Windows Server
Action : Modified
Message: Modified System Time
Where : srv-01
ObjectType : System Time
Who : NT AUTHORITY\SYSTEM
What : System Properties\System Time
When : 2021-08-24T07:36:22Z
Workstation :
Details : System time changed from "2021-08-24T07:36:08.173840600Z" to "2021-08-24T07:36:22.192000000Z"
0 Karma
Reply

Okezie1
Explorer
‎11-19-2021 07:59 AM

I'll add the [WinEventLog://Netwrix Auditor]  and [WinEventLog://Netwrix_Auditor_Integration] stanzas as well and see what we're able to pull. 

0 Karma
Reply

Okezie1
Explorer
‎11-19-2021 07:38 AM

My apologies, it was the Netwrix Auditor Security I was referring to. 

0 Karma
Reply

acadea
Explorer
‎11-19-2021 07:41 AM

well, collect the other eventlog and maybe that will solve your problem ?

0 Karma
Reply

acadea
Explorer
‎11-19-2021 06:04 AM

can you provide a link to that addon, I'm not able to find it on splunkbase.

or perhaps you're talking about the netwrix addon for splunk  which is a powershell script that is writing netwrix events to windows event log  so that splunk ufw can collect it ?

0 Karma
Reply

Okezie1
Explorer
‎11-19-2021 06:39 AM

There is no Splunkbase TA. I'm referring to the Netwrix addon for Splunk which is a PowerShell script.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...