Getting Data In

Whats the best practice to break the windows events?

kiran331
Builder

Hi All,

We have 2 Domains, all the windows events are going to wineventlog and windows and perfmon indexes. If I break these Indexes to winventlog_domain1 and wineventlog_domain2 and deploy modified Add-ons to the hosts. Will it break anything? we use Splunk app for windows infrastructure and Enterprise Security? Any Suggestions how to achieve it?

Tags (2)
0 Karma

koshyk
Super Champion

ES works on datamodels and datamodel in turn works on tags and eventtypes.
So the relationship is something like
Datamodel -> tags -> eventtypes -> props/transforms

"Index" is just a holding area and doesn't contribute to the functionality. The ONLY thing you need to consider is in Datamodel (acceleration) there is a provision of selecting Indexes. By default it scans all indexes, but sometimes customers configure to use only certain index. Ensure your new indexes are included

How we do is
- naming convention for all indexes ( mycompany_network_firewall, mycompany_os_windows etc)
- Include all key indexes to the datamodels
- Permission and groups are created based on above naming conventions

Afterward use the Splunk official Windows Addon and it will do all the magic of field extractions , tagging, datamodels etc.

0 Karma

adonio
Ultra Champion

i am commenting only as i would like confirmation form others here but i am pretty positive it is a valid answer.
I think you are safe there, the ES works on data models and tags among other knowledge objects and as long as the fields are extracted correctly from the data, there not supposed to be a problem.
regarding the app for Win Inf, i think you are also good there, if my memory is good, all searches, reports, eventtypes, macros and more tied to a sourcetype and not to an index.
with that being said, i would add the new indexes as searched by default to the relevant roles in ES, Win Inf, and Splunk
hope it helps

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...