Using Splunk 6.4.1
I am trying to monitor the WinEventLog://Security; however, I only need to monitor two EventCodes (4732 and 4624). Additionally, we are looking to remove all serviceaccounts f...
We are installing Splunk on CentOS Linux in the next week or so. Our serviceaccounts are going to be on an LDAP server. Will I be able to install and run the Splunk App for Enterprise Security w...
I am running Splunk on top of GCE instances, and I'd like to use GCE serviceaccount for the pubsub subscription instead of providing a JSON file. Is that possible? What would be the effort to i...
Hi, We have a serviceaccount svc_account, that should log into certain servers (Server1, Server2, Server 3). How would we create an alert to notify if svc_account logs into a server other t...
...mbedded in the configs somewhere in addition to the windows service? I have an install that was done months ago using the local system account, and I'd like to change it to use a domain account. Assigning a...
I'm searching on Windows Security Auditing logs and the Security_ID field but when I do, I'm realizing that there is a section for Subject and Target Account. I want to be able to extract each i...
We would like to keep a copy of the log files before they get indexed for long term retention which gets downloaded via the API.
inputs.conf
[scwss-poll]
interval = 3600
sourcetype = symantec...
Hello everybody,
due to strict security requirements, I am trying to setup the Splunk Universal Forwarder service to run with a domain account that has NOT administrative privileges on the server....
I am working with a customer that is trying to narrow down their Windows Security logs. They would like to isolate the Event Code to only 4732,4624, while excluding Logon Type "3" and the list of Account...