Splunk Enterprise Security

Splunk Enterprise Security: What is the best practice for collecting Windows logs?

kiran331
Builder

Hi

We are collecting all logs from Windows (wineventlogs, windows, perfmon) from all the Domain Controllers. It's a huge amount of logs we are ingesting. What is the best practice to get the logs which has value for Splunk Enterprise Security and what logs are to be excluded?

0 Karma

ekost
Splunk Employee
Splunk Employee

The best practice for the collection of logs for use with Enterprise Security is to use (or build) an add-on that is compatible with the Splunk Common Information Model. One of the default filters on splunkbase is CIM compatibility. The Splunk Add-on for Microsoft Windows is CIM compatible, and will provide the eventtype and tagging requirements for the typical Windows Event Log sources. If you've already been ingesting Windows logs using that add-on, then you should have the log sources tagged properly for use with the CIM data models. Confirm that your Windows Event Log data is showing up in a datamodel (Example: review the Authentication data model using Pivot,) and if it's there you can move on to defining use-cases.

In a security environment, all data is relevant. So begin by defining the critical use-cases in your environment, and what data is required to fulfill those use-cases. Scope the data sources to CIM datamodels. To see which add-ons populate a given datamodel, use the 2 searches documented in this blog post. If you are working with correlation searches, review the search to see which datamodels are referenced.

With the list of required use-cases, and the knowledge of what data you need to fulfill those use-cases, you can choose to mark data sources that are less important to your current priorities and temporarily exclude them from collection.

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...