Getting Data In

How to write a monitoring stanza to monitor the windows Event Viewer logs?

Hemnaath
Motivator

Hi All, 

We have request from a Cybersecurity team to monitor the Windows Event Viewer logs in Splunk, my question is how to configure the monitoring stanza to get the event data into splunk.

Event Viewer (Local) --->Application and Services Logs --> OpenSSH --> Admin

Event Viewer (Local) --->Application and Services Logs --> OpenSSH --> Operational 

When I check the properties to find the exact Log Path details I could see like this 

%SystemRoot%\System32\Winevt\Logs\OpenSSH%4Operational.evtx

%SystemRoot%\System32\Winevt\Logs\OpenSSH%4Admin.evtx

My question is how to write the monitoring stanza for this path and define the sourcetype for the same.

[WinEventLog://Application/OpenSSH/Operational]

sourcetype=winEventLog:OpenSSH:Operational

index=test

disable=0

[WinEventLog://Applicaion/OpenSSH/Adminl]

sourcetype=winEventLog:OpenSSH:Admin

index=test

disable=0

Please guide me on this 

Labels (3)
0 Karma

VatsalJagani
Champion

@Hemnaath - Please try below two stanzas.

[WinEventLog://OpenSSH/Operational]
sourcetype=winEventLog:OpenSSH:Operational
index=test
disable=0

[WinEventLog://OpenSSH/Admin]
sourcetype=winEventLog:OpenSSH:Admin
index=test
disable=0

 

Please read the reference here - https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/MonitorWindowseventlogdata 

 

I hope this helps!!! Upvote/karma would be appreciated!!!

0 Karma

Hemnaath
Motivator

Hey I had deployed the below stanza to the remote machine to monitor the windows Event View --> OpenSSH But unable to see the data being monitored from the machine.

Monitoring stanza details:

[WinEventLog://OpenSSH/Operational]
index=main
sourcetype=winEventLog
start_from = oldest
current_only = 0
checkpointInterval = 5
disable=0
renderXml=false

[WinEventLog://OpenSSH/Admin]
index=main
sourcetype=winEventLog
current_only = 0
checkpointInterval = 5
disable=0
renderXml=false

I tried to check the Splunk internal logs but unable to get any thing related to this sourcetype.

index="_internal" sourcetype=splunkd* host="XXXXX*"  channel='OpenSSH/Admin'

Can any one guide me how to monitor the Windows Event Viewer

Spoiler
 

 

0 Karma

VatsalJagani
Champion

@Hemnaath - Can you please try to see any error with the below query?

index="_internal" sourcetype=splunkd host="XXXXX*" CASE(ERROR)

 

0 Karma

Hemnaath
Motivator

executed the query but there were no error/warn related to the source OpenSSH, could see below error for other channel.

05-12-2022 12:04:31.538 +0000 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" ERROR splunk-winevtlog - WinEventLogChannel::saveBookMark: Failed to update Windows Event Log bookmark, channel='System'

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...