Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Windows logon reporting

jgauthier
Contributor
‎03-18-2011 07:37 PM

History: Using splunk 4.2, and added the Windows App.

I noticed there are some prebuilt searches, for instance logons by username.

source="wineventlog:security" EventCode=528 OR EventCode=540 OR EventCode=4624 | get_user_name | stats count by User_Name

I notice this search uses the wineventlog:security source.

I don't really care about the local machine... How do I get my domain controllers to fall into this source the report is applicable domain wide?

When I add event log monitoring, the source is WMI:wineventlog:security.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎03-18-2011 07:44 PM

The windows app is going to assume the pulling of logs off the local machine. There are two ways you can get this to work. The first (and easiest) would be just change the source="" in the windows app, and still use WMI to pull the data in. The second (potentially better, depending on your environment) would be to install a splunk forwarder on the domain controller. This will eat up fewer resources (WMI is very resource intensive) and give you more visibility, but does require installing software on your DCs.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎03-18-2011 07:44 PM

The windows app is going to assume the pulling of logs off the local machine. There are two ways you can get this to work. The first (and easiest) would be just change the source="" in the windows app, and still use WMI to pull the data in. The second (potentially better, depending on your environment) would be to install a splunk forwarder on the domain controller. This will eat up fewer resources (WMI is very resource intensive) and give you more visibility, but does require installing software on your DCs.

0 Karma
Reply
Solved! Jump to solution

jgauthier
Contributor
‎03-20-2011 03:11 PM

Fantastic. Thanks. I was sending it to a TCP port and now and now am sending it to the receiver. Working well. Time to refine/configure.

0 Karma
Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎03-19-2011 07:17 PM

Kinda... let the "receiver" open port 9997 but don't force a sourcetype for that. Point the universal forwarder to that port. (CLI: splunk add forward-server yourserver:9997).
Splunk-to-Splunk communication has a bunch of metadata included which will automatically tell the receiver the proper source,sourcetype, and host.

0 Karma
Reply
Solved! Jump to solution

jgauthier
Contributor
‎03-18-2011 07:55 PM

Awesome. Thanks for the clear answer. I am in the process of setting up a light forwarder and didn't want to go through the process if that was the wrong direction. I will then modify/copy as the searches into new ones (as to not break my upgrade-ability later)

What's considered the best practice for this? I was thinking defining a specific TCP port, say 9997, and forcing it's source to be something like "DC-security". If I want to do something else in the future, I would add another TCP port, and segregate that way. Is this the wrong approach?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...