Hello all, I need your help in analyzing my collected log data. I have all of our Windows servers connected in Splunk using the Universal Forwarder. This includes the domain controllers as well. Only the security event log is transmitted. I have installed the Splunk Add-on for Microsoft Windows on the Splunk servers (Indexer, Searchead,). I want to know about failed login attempts, account lockouts, as well as tampering with Local Administrator accounts. If I now start a search query for example on Event ID 4625, I get thousandfold messages with field "host" where my domain controllers are inside. At "host" I want to see the really affected system. For example my Splunk query looks like this: index=Wineventlog sourcetype=wineventlog source::WinEventLog:Security (EventCode=4625 OR EventCode=4740) | eval Benutzerkonto = coalesce(Kontoname, Account_Name) | eval Meldung = coalesce(Fehlerursache, Failure_Reason) | eval IP-Quelladresse = coalesce(Source_network_address, Quellnetzwerkadresse) | table _time, ComputerName, Benutzerkonto, Meldung, IP-Quelladresse (I merge german and english logentries). I only want to know when someone tries to log in to the domain controller, locks his account there or hijacks the local admin on the domain controller. I do not want to see log entries of affected systems via the domain controllers. Do you have a solution to the problem or even suggestions for improvement? Thanks in advance. Best regards Codyy_Fast
... View more
Hi, thanks for your Reply! Everything worked, thank you! I have installed the Linux Unix add-on on the deployment server. Then I moved it from /opt/splunk/etc/apps to /opt/splunk/etc/deployment-apps. After that, I was able to deploy the app via the Splunk web interface. Greetings!
... View more
I am new to Splunk and need a little help.
I have the following configuration:
Splunk Indexer Server. Splunk Deployment Server.
I have installed Universal Forwarder on my clients and specified Deployment Server in the installation.
After installation, the clients report correctly to the Deployment Server. I have created two server classes. One for Windows and one for Linux.
Server class Linux:
App "fwd_to_receiver" = the Splunk indexer server is specified here. App "Linmess" = inputs.conf (here is defined what should be monitored)
My question now:
I would like to monitor the /var/log/lastlog file. But this does not work with inputs.conf.
I have now installed a Splunk Add-on for Unix and linux. How can I set this up so that my deployment server distributes a central configuration where the "Lastlog" file is monitored correctly and also the source type fits. Do I need to install the add-on on the indexer and on the deployment server?
Many thanks in advance!
best regards Codyy_Fast
... View more