The outline of the solution is:
1. Install Splunk Universal Forwarder, or Splunk Heavy Forwarder or some other log agent eg nxlog, syslog on all of your DCs.
2. Configure the software to monitor the Windows Security Event logs for events of interest; drop everything else (configure either props/transforms on the Heavy Forwarder or on the Indexer).
3. Send the data to your Splunk Indexers.
4. Use the sample query provided above: by lukejadamec Sep 03, 2013 at 05:58 AM
... View more