cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Codyy_Fast
Engager
Member since: ‎09-12-2022
Wednesday
Community Statistics
Posts 3
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎09-12-2022
View All

Collecting Logs Windows Servers and Windows Domain...

by in Getting Data In
‎08-21-2023 02:42 PM
‎08-21-2023 02:42 PM
Hello all, I need your help in analyzing my collected log data. I have all of our Windows servers connected in Splunk using the Universal Forwarder. This includes the domain controllers as well. Only the security event log is transmitted. I have installed the Splunk Add-on for Microsoft Windows on the Splunk servers (Indexer, Searchead,). I want to know about failed login attempts, account lockouts, as well as tampering with Local Administrator accounts. If I now start a search query for example on Event ID 4625, I get thousandfold messages with field "host" where my domain controllers are inside. At "host" I want to see the really affected system. For example my Splunk query looks like this: index=Wineventlog sourcetype=wineventlog source::WinEventLog:Security (EventCode=4625 OR EventCode=4740) | eval Benutzerkonto = coalesce(Kontoname, Account_Name) | eval Meldung = coalesce(Fehlerursache, Failure_Reason) | eval IP-Quelladresse = coalesce(Source_network_address, Quellnetzwerkadresse) | table _time, ComputerName, Benutzerkonto, Meldung, IP-Quelladresse (I merge german and english logentries). I only want to know when someone tries to log in to the domain controller, locks his account there or hijacks the local admin on the domain controller. I do not want to see log entries of affected systems via the domain controllers. Do you have a solution to the problem or even suggestions for improvement? Thanks in advance. Best regards Codyy_Fast ... View more
Labels

Re: Deployment-Server Linux Sererclass Monitoring ...

by in Splunk Enterprise
‎09-22-2022 04:22 AM
‎09-22-2022 04:22 AM
Hi, thanks for your Reply! Everything worked, thank you! I have installed the Linux Unix add-on on the deployment server. Then I moved it from /opt/splunk/etc/apps to /opt/splunk/etc/deployment-apps. After that, I was able to deploy the app via the Splunk web interface.   Greetings! ... View more

Deployment-Server Linux Sererclass Monitoring Last...

by in Splunk Enterprise
‎09-12-2022 07:56 AM
‎09-12-2022 07:56 AM
Hello all, I am new to Splunk and need a little help. I have the following configuration: Splunk Indexer Server. Splunk Deployment Server. I have installed Universal Forwarder on my clients and specified Deployment Server in the installation. After installation, the clients report correctly to the Deployment Server. I have created two server classes. One for Windows and one for Linux. Server class Linux: App "fwd_to_receiver" = the Splunk indexer server is specified here. App "Linmess" = inputs.conf (here is defined what should be monitored) My question now: I would like to monitor the /var/log/lastlog file. But this does not work with inputs.conf. I have now installed a Splunk Add-on for Unix and linux. How can I set this up so that my deployment server distributes a central configuration where the "Lastlog" file is monitored correctly and also the source type fits. Do I need to install the add-on on the indexer and on the deployment server? Many thanks in advance! best regards Codyy_Fast ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
Wednesday
Karma given to
View All