Getting Data In

What other logs should I be collecting from Domain Controllers besides the WinEventLog stanzas listed here?

daniel_augustyn
Contributor

What other logs should I be collecting from the Domain Controllers except for these ones, or are these all logs that DCs are generating?

[WinEventLog://Application]
disabled=0

[WinEventLog://Security]
disabled=0

[WinEventLog://System]
disabled=0

[WinEventLog://DNS Server]
disabled=0

[WinEventLog://Directory Service]
disabled = 0

[WinEventLog://File Replication Service]
disabled = 0

1 Solution

Richfez
SplunkTrust
SplunkTrust

You are already collecting DHCP, proxy, VPN and firewall logs. The logs you are collecting from the DCs should help you answer a lot of questions about logins and you are just about set. A few additional notes or recommendations:

Make sure to either collect the DNS logs (with all the appropriate debug data turned on, as mentioned in the docs) or better use use the Splunk App for Stream to selectively capture those from all the DCs. If you do that and if you use DHCP from MS as well, you may want to enable Stream directly capturing the DHCP packets as well from the DHCP servers.

You might want to investigate using the Splunk App for Windows Infrastructure to provide some good information on the inputs you have enabled. It also walks you through what inputs you need to make it useful, so that process itself may be a good double-check for you.

View solution in original post

0 Karma

Richfez
SplunkTrust
SplunkTrust

You are already collecting DHCP, proxy, VPN and firewall logs. The logs you are collecting from the DCs should help you answer a lot of questions about logins and you are just about set. A few additional notes or recommendations:

Make sure to either collect the DNS logs (with all the appropriate debug data turned on, as mentioned in the docs) or better use use the Splunk App for Stream to selectively capture those from all the DCs. If you do that and if you use DHCP from MS as well, you may want to enable Stream directly capturing the DHCP packets as well from the DHCP servers.

You might want to investigate using the Splunk App for Windows Infrastructure to provide some good information on the inputs you have enabled. It also walks you through what inputs you need to make it useful, so that process itself may be a good double-check for you.

0 Karma

Richfez
SplunkTrust
SplunkTrust

What are you trying to achieve? What questions are you attempting to answer with the information you are getting?

If you are only concerned about "what is my server doing" application-wise then those are a good start. Are you planning on installing the Splunk App for Windows Infrastructure? I'd probably suggest it, it'll give you a lot of good inputs and information and, though its a bit of work to get up, it's a good process and will slowly lead you through the above and more.

If it's validating they haven't been compromised and aren't chatting up nefarious folks in external locations and as part of a larger attempt to pay attention to things like that across your entire network, then there's a lot more you can get. For instance, using the Splunk App for Stream carefully deployed to target DHCP and DNS on the appropriate systems - this will give you far better information than the MS logs (which aren't listed in your list above - the WinEventLog for DNS server is other events involving DNS services, not actual DNS traffic IIRC). Also, you'll want all traffic going into and out of your network across your firewall.

Likewise, If it's performance monitoring you are after there's a different set of things to add to that. All sorts of perfmon stuff you can pull and send in. There are apps for that too. 🙂

0 Karma

daniel_augustyn
Contributor

Basically, I was trying to see what other logs should I be collecting from DCs in terms of user authentications on the domain. I wanted to find out only about DCs, I already started collecting DHCP, proxy, VPN, or firewall logs. But DCs are the ones that I wasn't so sure about what logs should I be collecting.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...