Getting Data In

Windows logon reporting

Contributor

History: Using splunk 4.2, and added the Windows App.

I noticed there are some prebuilt searches, for instance logons by username.

source="wineventlog:security" EventCode=528 OR EventCode=540 OR EventCode=4624 | get_user_name | stats count by User_Name

I notice this search uses the wineventlog:security source.

I don't really care about the local machine... How do I get my domain controllers to fall into this source the report is applicable domain wide?

When I add event log monitoring, the source is WMI:wineventlog:security.

Thanks!

0 Karma
1 Solution

Splunk Employee
Splunk Employee

The windows app is going to assume the pulling of logs off the local machine. There are two ways you can get this to work. The first (and easiest) would be just change the source="" in the windows app, and still use WMI to pull the data in. The second (potentially better, depending on your environment) would be to install a splunk forwarder on the domain controller. This will eat up fewer resources (WMI is very resource intensive) and give you more visibility, but does require installing software on your DCs.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

The windows app is going to assume the pulling of logs off the local machine. There are two ways you can get this to work. The first (and easiest) would be just change the source="" in the windows app, and still use WMI to pull the data in. The second (potentially better, depending on your environment) would be to install a splunk forwarder on the domain controller. This will eat up fewer resources (WMI is very resource intensive) and give you more visibility, but does require installing software on your DCs.

View solution in original post

0 Karma

Contributor

Fantastic. Thanks. I was sending it to a TCP port and now and now am sending it to the receiver. Working well. Time to refine/configure.

0 Karma

Kinda... let the "receiver" open port 9997 but don't force a sourcetype for that. Point the universal forwarder to that port. (CLI: splunk add forward-server yourserver:9997).
Splunk-to-Splunk communication has a bunch of metadata included which will automatically tell the receiver the proper source,sourcetype, and host.

0 Karma

Contributor

Awesome. Thanks for the clear answer. I am in the process of setting up a light forwarder and didn't want to go through the process if that was the wrong direction. I will then modify/copy as the searches into new ones (as to not break my upgrade-ability later)

What's considered the best practice for this? I was thinking defining a specific TCP port, say 9997, and forcing it's source to be something like "DC-security". If I want to do something else in the future, I would add another TCP port, and segregate that way. Is this the wrong approach?

0 Karma