Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to index and forward all Windows Security events?

agarrison
Path Finder
‎03-03-2016 01:01 PM

I can't find anything that quite matches what I am trying to do.
We have a security device that can ingest Windows Security logs from Splunk, it would be much easier than installing a second forwarder for the security appliance itself.

I cannot find what I would need to index sourcetype="WinEventLog:Security" as well as forward it to an additional server.

I have tried several implementations on here, but the whole props, transforms, outputs, inputs config file setup is not very intuitive.

0 Karma
Reply

agarrison
Path Finder
‎03-04-2016 05:44 AM

I have looked at all of those links before posting, Here is the config that I have

transforms.conf
[sent_to_strm]
DEST_KEY = _SYSLOG_ROUTING
FORMAT= strm_server

props.conf
[WinEventLog:Security]
TRANSFORMS-strm = sent_to_strm

outputs.conf

[syslog:strm_server]
server=10.0.250.50:514
indexAndForward=true
sendCookedData=false

      If I add type=tcp to the outputs it will not send, but the appliance is listening for a "TCP multiline event" from splunk and ignores the data if it is UDP
0 Karma
Reply

agarrison
Path Finder
‎03-04-2016 05:54 AM

Running a Wireshark capture I do not see anything forwarded after I add the type=tcp, but I get events without it. I'm not sure If I need to use _TCP_ROUTING? but When I tried to set that up I do not think I set it up right either since I got nothing.

0 Karma
Reply

agarrison
Path Finder
‎03-04-2016 08:29 AM

I got it working using:
outputs.conf
[syslog:ms_strm_dev]
server = 10.164.4.200:12468
type = tcp

props.conf
[syslog]
TRANSFORMS-routing = win_strm, win_index, FilterSecurityEvents, trunkEventDesc1, trunkEventDesc2, UserFilter, LogonFilter

transforms.conf
[win_index]
REGEX = ^(\d\d)\/(\d\d)\/(\d\d\d\d)\s(\d\d):(\d\d):(\d\d)\s\w\w
FORMAT = TimeGenerated::$2/$1/$3 $4
DEST_KEY = queue
FORMAT = indexQueue
[win_strm]
REGEX = EventCode=
DEST_KEY = _SYSLOG_ROUTING
FORMAT = ms_strm_dev

But the data comes across with extra information, the event starts with <13> or some other two digit variable that the appliance does not seem to be expecting as well as the host name, which I am going to need them to parse to know where the event originated.

<13> EXCHANGE 03/04/2016 11:01:54 AM

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information

ComputerName=EXCHANGE.domain
TaskCategory=Logon
OpCode=Info
RecordNumber=251551525
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation

New Logon:
Security ID: domain\jdoe
Account Name: jdoe
Account Domain: domain
Logon ID: 0x91E86B45
Logon GUID: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name:

Source Network Address: 10.0.0.250
Source Port: 60790

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -

The appliance is apparently looking for the information following this regex:
(?:<(\d+)>\s?(\w{3} \d{2} \d{2}:\d{2}:\d{2}) (\S+) )?(\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}[AP]M)

I made the following regex that works
(?:<(\d+)>\s(?P\w+) (?P\d{2}\/\d{2}\/\d{4}) (?P\d{2}:\d{2}:\d{2}\ \w+))
But I don't think there is any way to change the regex the appliance uses.

I am using a Juniper JSA appliance, here is the manual, there is a Splunk section but it is not helpful, their document states to see the Splunk documentation

https://www.juniper.net/techpubs/en_US/jsa2014.4/information-products/topic-collections/jsa-configur...

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎03-03-2016 02:14 PM

Hi agarrison, do you have any heavy-forwarders, or do all of the universal forwarders send straight to the indexer(s)?

0 Karma
Reply

agarrison
Path Finder
‎03-03-2016 03:30 PM

all of the servers have the Universal forwarder installed going to the splunk indexer. I want to just forward from the indexer so I am not collecting the information twice

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎03-03-2016 02:13 PM

Hi agarrison, I've got some questions, but here is a provisional answer. If this is possible, it's outlined here: http://docs.splunk.com/Documentation/Splunk/6.3.3/Forwarding/Routeandfilterdatad

0 Karma
Reply

gfreitas
Builder
‎03-03-2016 02:01 PM

Hi agarrison,

Maybe this link from the docs can help you: http://docs.splunk.com/Documentation/Splunk/6.3.3/Forwarding/Forwarddatatothird-partysystemsd#Syslog...

0 Karma
Reply

agarrison
Path Finder
‎03-03-2016 01:02 PM

I have tried Syslog routing and TCP routing and have not managed to get the windows security events to forward as a syslog event either way. any help would be appreciated.

0 Karma
Reply

agarrison
Path Finder
‎03-03-2016 01:59 PM

The events need to be forwarded using TCP, I can get them out using UDP, but when I enter type=tcp in the outputs.conf it stops sending.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...