Solved: How to send Windows log to Splunk?

rockzers · ‎08-10-2022

new splunk user

i installed my splunk on my windows machine and i want to receive logs and how to find a logon event?

in the search index there is only default index=internal and audit, so these logs are the same received login event logs?. Is it detected logon event if the user accesses this windows machine?

Do I need to install any third party application to get logs? because splunk forwarder is a remote way to send logs so on local machine how can i do that?

i want to check user login event in splunk

Example:
if user access this windows machine then SIEM splunk job is check logon event log details like if people with valid IP only access this windows machine or not

gcusello · ‎08-10-2022

Hi @rockzers,

I hint to follow some basic training on Splunk:

getting started with search (https://docs.splunk.com/Documentation/Splunk/latest/Search/GetstartedwithSearch)
Splunk Search Tutorial (http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial)
http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial

to be authonomous in your activities.

Anyway, do you want to take logs from your local machine or from another one?

If from your local machine, you can go in [Settings -- inputs] and find how to enable local windows eventlogs.

If from another machine, is just a little bit complicate (not so much) you have to install:

Splunk Enterprise on your Splunk machine,
Splunk Universal Forwarder on the target machine,
Splunk_TA_Windows (https://splunkbase.splunk.com/app/742/) on your target machine and on your Splunk machine.

Then configure your target machine to:

send logs to your Splunk machine,
enable inputs on the target machine in the Splunk_TA_Windows inputs.conf.

When you'll have logs in your Splunk machine, you can create your searches (as you learned in Splunk Search Tutorial).

To list all the logon events, you could run something like this:

index=wineventlog EventCode=4624

Remember that every logon in Windows generated around 12-13 logon events, so you have to analyze and filter them.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎08-10-2022

Hi @rockzers,

I hint to follow some basic training on Splunk:

getting started with search (https://docs.splunk.com/Documentation/Splunk/latest/Search/GetstartedwithSearch)
Splunk Search Tutorial (http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial)
http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial

to be authonomous in your activities.

Anyway, do you want to take logs from your local machine or from another one?

If from your local machine, you can go in [Settings -- inputs] and find how to enable local windows eventlogs.

If from another machine, is just a little bit complicate (not so much) you have to install:

Splunk Enterprise on your Splunk machine,
Splunk Universal Forwarder on the target machine,
Splunk_TA_Windows (https://splunkbase.splunk.com/app/742/) on your target machine and on your Splunk machine.

Then configure your target machine to:

send logs to your Splunk machine,
enable inputs on the target machine in the Splunk_TA_Windows inputs.conf.

When you'll have logs in your Splunk machine, you can create your searches (as you learned in Splunk Search Tutorial).

To list all the logon events, you could run something like this:

index=wineventlog EventCode=4624

Remember that every logon in Windows generated around 12-13 logon events, so you have to analyze and filter them.

Ciao.

Giuseppe

gcusello · ‎08-14-2022

Hi @rockzers,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

rockzers · ‎08-11-2022

@gcusello

thanks for your suggestion

I installed Splunk_TA_Windows and created it in the local input.config folder

Which one is get login event to enable in input.config ?

because input.config there are many events so i just need login event log to receive in splunk

gcusello · ‎08-11-2022

Hi @rockzers,

the stanza is winevenlog:security, usually the first.

Ciao.

Giuseppe

rockzers · ‎08-11-2022

@gcusello

Should I remove the other log all settings in input.config and just use the WinEventLog://security logs to check the login event in Splunk?

because i checked and used only security in eventlog input.config and it received logs but when i check the logs it doesn't show my src and src port or ip address is empty

gcusello · ‎08-11-2022

Hi @rockzers,

usually the approach is to leave in default folder the complete inputs.conf as is, with all the disabled stanzas, and then copy in local folder's inputs.conf only the wineventlog:security stanza, enabling it.

You could also insert in this inputs.conf only the stanza's header and the option "disabled=0", but I prefer to copy the full stanza.

Ciao.

Giuseppe

rockzers · ‎08-12-2022

@gcusello

I changed the full stanza and used the local folder input.conf entries just the wineventlog:security stanza, enabling it.
but still not showing any srcip and port, ip address

Maybe splunk running locally and getting a local event log, meaning it doesn't show any ip address and port or srcip sections in the eventog?

venkatasri · ‎08-10-2022

@rockzers you might need to install this add-on and enable required inputs, follow the instructions - https://docs.splunk.com/Documentation/AddOns/released/Windows/AbouttheSplunkAdd-onforWindows

---

Srikanth Yarlagadda

rockzers · ‎08-11-2022

@venkatasri

i installed it and i just need the login event log

How to send Windows log to Splunk?

other

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)