Splunk Enterprise

Are the Windows events/logs in storage buckets being copied into Splunk storage or ingesting events from forwarders?

KnoxTech01
New Member

For the Windows events/logs that end up in the storage buckets on Splunk Enterprise servers, is Splunk copying the original Windows event log files to its own storage, or is it just ingesting events from the forwarders? 

The reason I ask is because our CISO wants our secuity team to retain the original log files for fidelity in case we ever get audited or sued and I feel like we can just setup Splunk to alert us if log files have been cleared. Additionally, if an insider threat were to pull a workstation offline, then clear the logs, we wouldn't have the orignal logs, anyway... 

Does anyone know if there are regulations in any industries that require the original log files?

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Splunk uses Windows API and WMI (depending on use case) to access event data. If I remember correctly, there was an option to upload an evt file to a splunk instance (not UF!) and ingest it but it must be a Splunk instance running on Windows. I'm not even sure if it still works.

Anyway, even if UF read straight from the windows event log raw files it would still ingest data in rendered format and it would still not affect the original files.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The Windows event logs in Splunk are copies of Windows event logs stored elsewhere.

Yes, you can set up Splunk to alert if an event log is cleared.  There's a use case for that in Splunk Security Essentials.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...