Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What other logs should I be collecting from Domain Controllers besides the WinEventLog stanzas listed here?

daniel_augustyn
Contributor
‎12-11-2015 08:35 AM

What other logs should I be collecting from the Domain Controllers except for these ones, or are these all logs that DCs are generating?

[WinEventLog://Application]
disabled=0

[WinEventLog://Security]
disabled=0

[WinEventLog://System]
disabled=0

[WinEventLog://DNS Server]
disabled=0

[WinEventLog://Directory Service]
disabled = 0

[WinEventLog://File Replication Service]
disabled = 0

Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎12-13-2015 10:51 AM

You are already collecting DHCP, proxy, VPN and firewall logs. The logs you are collecting from the DCs should help you answer a lot of questions about logins and you are just about set. A few additional notes or recommendations:

Make sure to either collect the DNS logs (with all the appropriate debug data turned on, as mentioned in the docs) or better use use the Splunk App for Stream to selectively capture those from all the DCs. If you do that and if you use DHCP from MS as well, you may want to enable Stream directly capturing the DHCP packets as well from the DHCP servers.

You might want to investigate using the Splunk App for Windows Infrastructure to provide some good information on the inputs you have enabled. It also walks you through what inputs you need to make it useful, so that process itself may be a good double-check for you.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎12-13-2015 10:51 AM

You are already collecting DHCP, proxy, VPN and firewall logs. The logs you are collecting from the DCs should help you answer a lot of questions about logins and you are just about set. A few additional notes or recommendations:

Make sure to either collect the DNS logs (with all the appropriate debug data turned on, as mentioned in the docs) or better use use the Splunk App for Stream to selectively capture those from all the DCs. If you do that and if you use DHCP from MS as well, you may want to enable Stream directly capturing the DHCP packets as well from the DHCP servers.

You might want to investigate using the Splunk App for Windows Infrastructure to provide some good information on the inputs you have enabled. It also walks you through what inputs you need to make it useful, so that process itself may be a good double-check for you.

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎12-11-2015 01:06 PM

What are you trying to achieve? What questions are you attempting to answer with the information you are getting?

If you are only concerned about "what is my server doing" application-wise then those are a good start. Are you planning on installing the Splunk App for Windows Infrastructure? I'd probably suggest it, it'll give you a lot of good inputs and information and, though its a bit of work to get up, it's a good process and will slowly lead you through the above and more.

If it's validating they haven't been compromised and aren't chatting up nefarious folks in external locations and as part of a larger attempt to pay attention to things like that across your entire network, then there's a lot more you can get. For instance, using the Splunk App for Stream carefully deployed to target DHCP and DNS on the appropriate systems - this will give you far better information than the MS logs (which aren't listed in your list above - the WinEventLog for DNS server is other events involving DNS services, not actual DNS traffic IIRC). Also, you'll want all traffic going into and out of your network across your firewall.

Likewise, If it's performance monitoring you are after there's a different set of things to add to that. All sorts of perfmon stuff you can pull and send in. There are apps for that too. 🙂

0 Karma
Reply
Solved! Jump to solution

daniel_augustyn
Contributor
‎12-12-2015 08:06 AM

Basically, I was trying to see what other logs should I be collecting from DCs in terms of user authentications on the domain. I wanted to find out only about DCs, I already started collecting DHCP, proxy, VPN, or firewall logs. But DCs are the ones that I wasn't so sure about what logs should I be collecting.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...