Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About achauhan2098
achauhan2098
Engager
Member since:
01-19-2021
02-23-2021
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 01-19-2021 |
Activity Feed
- Posted I've got my data in but I now need to get some good use cases out of the windows log data! on Security. 01-28-2021 03:14 PM
- Posted Re: Introducing Deployment Server Stops Data Getting In on Getting Data In. 01-25-2021 12:26 PM
- Posted Re: Specific Windows Events Only on Security. 01-21-2021 03:37 AM
- Posted Specific Windows Events Only on Security. 01-20-2021 02:55 PM
- Posted Re: Introducing Deployment Server Stops Data Getting In on Getting Data In. 01-20-2021 05:59 AM
- Posted Introducing Deployment Server Stops Data Getting In on Getting Data In. 01-20-2021 12:21 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
01-28-2021
03:14 PM
Relatively new to splunk but after a few challenges I have my splunk deployment up and running. I've limited this to 7 specific window event codes, namely (4776,4720,4723,1102,4624,4726,4625). I dont have the stick with these but I had advice from Splunk that this would be a good start. However I now need to turn these into a good set of security use cases. I probably need to expand my inputs.conf file as currently its deliberately limited: [WinEventLog://Application] disabled = 1 start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=true [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 whitelist = 4776,4720,4723,1102,4624,4726,4625 index=wineventlog renderXml=true [WinEventLog://System] disabled = 1 start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=true So my question is to get some good security event logs from what I have configured above, do I just work with this and try to get the search terms to match what I'm trying to achieve or is there anything more fundamental I need to change first? Also, if there are any good resources for windows security searches that would be great. Thanks!
... View more
Labels
- Labels:
-
access control
-
audit
-
login
01-25-2021
12:26 PM
Thanks for your help - I got this working. I think the issue was ultimately with the forwarding. It looks like the app for logging into Splunk Cloud was being sent to the UF. But I only got this working once I stripped the desired app down to just the inputs and outputs.conf files. I still have work to do but the base is there now. Thanks,
... View more
01-21-2021
03:37 AM
Hi @tscroggins thanks for the reply. I think that was just my understanding of whitelisting. do you know of an easy way to find what windows events would sit in which stanzas? most of the time it will be obvious but for some events they could legitimately sit in either camp. Thanks!
... View more
01-20-2021
02:55 PM
Hey All, Sorry if this has been asked before but I couldnt see the same such post. I want to include some specific windows logs and exclude all others. From what I can see the below config is including other events too - is this because I have Application and System Stanzas with no whitelists? Or do I need to include a blacklist too within this stanza? [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 whitelist = 4776,4720,4723,1102,4624,4726,4625 renderXml=true Thanks!
... View more
Labels
- Labels:
-
other
01-20-2021
05:59 AM
Hi Giuseppe, thanks for your response. So do you mean I *need* to monitor the DS? and so does the outputs.conf file only need to be there if the DS itself is being monitored? Because it's not in the chain of process to Splunk Cloud here is it? Thanks, Anish
... View more
01-20-2021
12:21 AM
Hi Community! Despite lots of reading and doing my best to get the answer from documentation, I can't see why the introduction of a deployment server is causing issues with the data getting into Splunk Cloud. So I'd really appreciate some help. I have 4 test servers and I've completed the steps below: Intermediate forwarders have Splunk cloud as forwarding servers in outputs.conf file. this is also verified when issuing cli commands. Intermediate forwarders have a receiving port configured Intermediate forwarders have the Splunk Cloud credentials installed When the UF have the intermediate forwarders set as the forwarding server the cli shows that this config is good -> and ultimately the forwarding client data reaches the cloud index no problem. However when I introduce the deployment server, this is where no data reaches Splunk cloud and issuing cli commands the forwarding client just hangs. When I look in /etc/deployment-app/<app-folder>/default - there's no outputs.conf file on the deployment server and so I feel that the server config is missing something. I've used this guide as a setup reference for the deployment server but I still feel like I've missed something. https://docs.splunk.com/Documentation/SplunkCloud/8.1.2011/Admin/WindowsGDI (specifically step 3) Any suggestions would be really appreciated, Thanks!
... View more
Labels
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-23-2021
10:07 AM
|
