Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I edit my configuration to index security event logs for Windows success/failed login and logout events?

amadmin
New Member
‎10-20-2015 04:31 AM

Hi,

I installed Splunk Enterprise to a single instance and am installing the Splunk Universal Forwarder.
The goal is to index only Windows security event logs of Windows login success, failed, and logout.

I have configured the PROPS file on the server as follows:

[default]

[csv]
CHECK_FOR_HEADER = false

[WinEventLog:Security]
# MODIFICARE: Filtro sugli gli eventi WinEventLog Security locali (server Splunk)
TRANSFORMS-wineventlog_security = SetNull, GetLocalWinAdmin

and TRANSFORMS:

[SetNull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[GetLocalWinAdmin]
# Filtro per prendere log(falliti e non) e logoff solo di tutti gli Admin (Win2000/3 e Win2008)
#REGEX =(?msi)EventCode=(?:5(?:28|29|3[0-8]|40)|46(?:24|25|34|47|48))\s
#REGEX =(?msi)EventCode=(?:5(?:29|3[0-7])|4625)|EventCode=(?:5(28|38|40)|46(?:24|34|47|48))\s+.+(?:(?:User|Account)\s+Name:|(?:Nome\s+(?:utente|account):))\s+(?:Admin|Administrator|user1|user2|user3)\s

source="WinEventLog:*"

on FORWARDER servers I configured the file inputs and outputs as follows:

INPUTS:

[WinEventLog://Security]
checkpointInterval = 5
disabled = 0
current_only = 1 
evt_resolve_ad_obj = 1
# start_from = newest
whitelist = 528,538,540,529,530,531,532,533,534,535,536,537,539,4624,4625,4634,4648,4672,4625,4771

OUTPUTS:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = SPLUNK.domain.local:9997

At present I have received some data source with 2:
WinEventLog: Application
WinEventLog: System

but not of WinEventLog: Security !!!! That is what I'm interested in.
I do not understand why it's not working. Can anyone help?

Thank you.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-02-2015 04:11 PM

It appears that you are trying to do 2 levels of filtering.
The first level is whitelisting by EventCode. You have configured this correctly so that only EventCodes in the whitelist should be forwarded. If you keep my first answer (which was remove SetNull from the TRANSFORMS- line), then you will get no additional filtering and you will get some (the whitelisted) events. If you keep SetNull and would like to use it to do additional filtering, then you need to make sure that you use a RegEx that works to pull events back out of the nullQueue (the way you have it right now, it has no RegEx so it is as though it does not exist so all events go into the nullQueue and none are pulled back out).

0 Karma
Reply

amadmin
New Member
‎11-05-2015 07:49 AM

in your opinion what is the best way to index ONLY events security specified in INPUTS.conf and only for users defined by me?
you must also keep SetNull?

0 Karma
Reply

amadmin
New Member
‎11-03-2015 06:09 AM

thanks for the reply woodcock.
it is exactly like that, I want to do two levels of filtering.
the first whitelisting by EventCode now is OK, for the second filter I would keep SetNull. how can I make a RegEx suitable for this?

Thanks to all for any suggestion.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-03-2015 06:27 AM

Take a look at my answer; just make sure that you are specifying a valid REGEX and it should work just fine. You will have to restart the Splunk instances on your Indexers, though, and it will only apply to events that are indexed after the restarts.

0 Karma
Reply

amadmin
New Member
‎11-06-2015 09:03 AM

I would like written on index Splunk only event from WinEventLog: // Security
whith EventCode 528,538,540,529,530,531,532,533,534,535,536,537,539,4624,4625,4634,4648,4672,4625,4711
in my case it is useful to use SetNull, and how?

0 Karma
Reply

woodcock
Esteemed Legend
‎11-06-2015 08:10 PM

If you only need to filter on EventCode, then you do not need anything in props.conf, not transforms.conf; your whitelist in inputs.conf should work just fine.

0 Karma
Reply

woodcock
Esteemed Legend
‎10-30-2015 09:56 AM

This stanza is broken:

[GetLocalWinAdmin]
# Filtro per prendere log(falliti e non) e logoff solo di tutti gli Admin (Win2000/3 e Win2008)
#REGEX =(?msi)EventCode=(?:5(?:28|29|3[0-8]|40)|46(?:24|25|34|47|48))\s
#REGEX =(?msi)EventCode=(?:5(?:29|3[0-7])|4625)|EventCode=(?:5(28|38|40)|46(?:24|34|47|48))\s+.+(?:(?:User|Account)\s+Name:|(?:Nome\s+(?:utente|account):))\s+(?:Admin|Administrator|user1|user2|user3)\s
source="WinEventLog:*"

Replace it with this (or similar; you may need to fix REGEX😞

[GetLocalWinAdmin]
REGEX=(?m)^EventCode=(?:5(?:28|29|3[0-8]|40)|46(?:24|25|34|47|48))\s
DEST_KEY=queue
FORMAT=indexQueue

P.S. Forget my first (wrong) answer (now deleted).

0 Karma
Reply

amadmin
New Member
‎11-02-2015 02:35 AM

because wrong?
thanks to the previous answer, now I get events WinEventLog: Security
but, I want to index only WinEventLog: Security

It could indicate TRANSFORMS.conf entire file? 🙂

thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...