Splunk Search

How to send Windows log to Splunk?

rockzers
Path Finder

new splunk user

i installed my splunk on my windows machine and i want to receive logs and how to find a logon event?

in the search index there is only default index=internal and audit, so these logs are the same received login event logs?. Is it detected logon event if the user accesses this windows machine?

Do I need to install any third party application to get logs? because splunk forwarder is a remote way to send logs so on local machine how can i do that?

i want to check user login event in splunk

Example:
if user access this windows machine then SIEM splunk job is check logon event log details like if people with valid IP only access this windows machine or not

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @rockzers,

I hint to follow some basic training on Splunk:

to be authonomous in your activities.

Anyway, do you want to take logs from your local machine or from another one?

If from your local machine, you can go in [Settings -- inputs] and find how to enable local windows eventlogs.

If from another machine, is just a little bit complicate (not so much) you have to install:

  • Splunk Enterprise on your Splunk machine,
  • Splunk Universal Forwarder on the target machine,
  • Splunk_TA_Windows (https://splunkbase.splunk.com/app/742/) on your target machine and on your Splunk machine.

Then configure your target machine to:

  • send logs to your Splunk machine,
  • enable inputs on the target machine in the Splunk_TA_Windows inputs.conf.

When you'll have logs in your Splunk machine, you can create your searches (as you learned in Splunk Search Tutorial).

To list all the logon events, you could run something like this:

index=wineventlog EventCode=4624

Remember that every logon in Windows generated around 12-13 logon events, so you have to analyze and filter them.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @rockzers,

I hint to follow some basic training on Splunk:

to be authonomous in your activities.

Anyway, do you want to take logs from your local machine or from another one?

If from your local machine, you can go in [Settings -- inputs] and find how to enable local windows eventlogs.

If from another machine, is just a little bit complicate (not so much) you have to install:

  • Splunk Enterprise on your Splunk machine,
  • Splunk Universal Forwarder on the target machine,
  • Splunk_TA_Windows (https://splunkbase.splunk.com/app/742/) on your target machine and on your Splunk machine.

Then configure your target machine to:

  • send logs to your Splunk machine,
  • enable inputs on the target machine in the Splunk_TA_Windows inputs.conf.

When you'll have logs in your Splunk machine, you can create your searches (as you learned in Splunk Search Tutorial).

To list all the logon events, you could run something like this:

index=wineventlog EventCode=4624

Remember that every logon in Windows generated around 12-13 logon events, so you have to analyze and filter them.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @rockzers,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

rockzers
Path Finder

@gcusello 

thanks for your suggestion 

I installed Splunk_TA_Windows and created it in the local input.config folder

Which one is get login event to enable in input.config ?

because input.config there are many events so i just need login event log to receive in splunk

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rockzers,

the stanza is winevenlog:security, usually the first.

Ciao.

Giuseppe

0 Karma

rockzers
Path Finder

@gcusello 

Should I remove the other log all settings in input.config and just use the WinEventLog://security logs to check the login event in Splunk?

because i checked and used only security in eventlog input.config and it received logs but when i check the logs it doesn't show my src and src port or ip address is empty

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rockzers,

usually the approach is to leave in default folder the complete inputs.conf as is, with all the disabled stanzas, and then copy in local folder's inputs.conf only the wineventlog:security stanza, enabling it.

You could also insert in this inputs.conf only the stanza's header and the option "disabled=0", but I prefer to copy the full stanza.

Ciao.

Giuseppe

0 Karma

rockzers
Path Finder

@gcusello 

I changed the full stanza and used the local folder input.conf entries just the wineventlog:security stanza, enabling it.
but still not showing any srcip and port, ip address

Maybe splunk running locally and getting a local event log, meaning it doesn't show any ip address and port or srcip sections in the eventog?

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@rockzers you might need to install this add-on and enable required inputs, follow the instructions - https://docs.splunk.com/Documentation/AddOns/released/Windows/AbouttheSplunkAdd-onforWindows

---

Srikanth Yarlagadda

0 Karma

rockzers
Path Finder

@venkatasri 

i installed it and i just need the login event log

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...