Security

How to gather only the Administrators' login/logout events from Windows Universal FW?

skender27
Contributor

Hi,

I have this necessity to gather exclusively the Windows Administrators login/logfail/logout from Windows Universal FW.
I know how to do for the type of events (by putting EventCode IDs in the .conf files that I deploy to the universal forwarders)
What I still do not do, is collecting ONLY the admin events. What I mean is provisioning this directly from the FW level and not indexing these kinds of events for all users and only then filtering through (maybe match a predefined CSV file) and building dashboards.

I have read somewhere about some regex stanza (in props.conf and transforms.conf) which provide patterns to allow event gathering...
I hope someone has had the same issue before.

Thanks a lot in advance,
Skender

0 Karma

gcusello
Esteemed Legend

Hi skender27,
you cannot filter events on Forwarders, but only on Indexers or Heavy Forwarders.
To filter events, so you have to create in your indexer/s props.conf and transforms.conf like these:
props.conf

[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = your regex
DEST_KEY = queue
FORMAT = indexQueue

See http://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Forwarding/Routeandfilterdatad#Keep_specif...

The problem is that you have to restart Splunk every time you modify your regex to insert a new administrator's username.
In addition you could need to have all users login and filter them at application level.

So I usually filter my events to take only the ones related to login, logout and logfail and I inserted the Administrators usernames in a lookup filtering my searches for this lookup.
In this way I can add an administrator with no Splunk restart and I can monitor all the users logins; obviously I must index more logs, but with the filter on Windows EventCodes there isn't a very larger consuption of Splunk License.

the regex I used to filter windows login events is the following, useful for all Windows Systems (old and new, Win and SQL):

(?m)EventCode=528|EventCode=529|EventCode=530|EventCode=531|EventCode=532|EventCode=533|EventCode=534|EventCode=535|EventCode=536|EventCode=537|EventCode=538|EventCode=539|EventCode=540|EventCode=4624|EventCode=4625|EventCode=4634|EventCode=4647|EventCode=4648|EventCode=4672|EventCode=4675|EventCode=4771|EventCode=17055|EventCode=18450|EventCode=18451|EventCode=18452|EventCode=18453|EventCode=18454|EventCode=18455|EventCode=18456|EventCode=18457|EventCode=18458|EventCode=18459|EventCode=18460|EventCode=18461|EventCode=24001|EventCode=24002|EventCode=24003

Bye.
Giuseppe

skender27
Contributor

Hi Giuseppe,

Thanks for your response in so fast time!
I fully understand the explanation and you just reminded me about the chances I've got.

But, what if, for legal compliance, you MUST NOT index in your indexer any log from other users who are not Administrators?
I already have done the way you and hsesterhenn suggested. If with an UF you cannot do this without first, it is OK for me. I just need to be sure.

Thanks a lot,
Skender

0 Karma

hsesterhenn_spl
Splunk Employee
Splunk Employee

Hi,

you can't filter by event on a Windows Universal Forwarder because a UF does not parse (Indexer or Heavy Forwarder do).

BUT, you might blacklist/whitelist by event ID and some regexes...

http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

HTH,

Holger

skender27
Contributor

Hi hsesterhenn,

Thanks so much for your response. I appreciated this!

Skender

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...