Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to index and forward all Windows Security events?

agarrison
Path Finder
‎03-03-2016 01:01 PM

I can't find anything that quite matches what I am trying to do.
We have a security device that can ingest Windows Security logs from Splunk, it would be much easier than installing a second forwarder for the security appliance itself.

I cannot find what I would need to index sourcetype="WinEventLog:Security" as well as forward it to an additional server.

I have tried several implementations on here, but the whole props, transforms, outputs, inputs config file setup is not very intuitive.

0 Karma
Reply

agarrison
Path Finder
‎03-04-2016 05:44 AM

I have looked at all of those links before posting, Here is the config that I have

transforms.conf
[sent_to_strm]
DEST_KEY = _SYSLOG_ROUTING
FORMAT= strm_server

props.conf
[WinEventLog:Security]
TRANSFORMS-strm = sent_to_strm

outputs.conf

[syslog:strm_server]
server=10.0.250.50:514
indexAndForward=true
sendCookedData=false

      If I add type=tcp to the outputs it will not send, but the appliance is listening for a "TCP multiline event" from splunk and ignores the data if it is UDP
0 Karma
Reply

agarrison
Path Finder
‎03-04-2016 05:54 AM

Running a Wireshark capture I do not see anything forwarded after I add the type=tcp, but I get events without it. I'm not sure If I need to use _TCP_ROUTING? but When I tried to set that up I do not think I set it up right either since I got nothing.

0 Karma
Reply

agarrison
Path Finder
‎03-04-2016 08:29 AM

I got it working using:
outputs.conf
[syslog:ms_strm_dev]
server = 10.164.4.200:12468
type = tcp

props.conf
[syslog]
TRANSFORMS-routing = win_strm, win_index, FilterSecurityEvents, trunkEventDesc1, trunkEventDesc2, UserFilter, LogonFilter

transforms.conf
[win_index]
REGEX = ^(\d\d)\/(\d\d)\/(\d\d\d\d)\s(\d\d):(\d\d):(\d\d)\s\w\w
FORMAT = TimeGenerated::$2/$1/$3 $4
DEST_KEY = queue
FORMAT = indexQueue
[win_strm]
REGEX = EventCode=
DEST_KEY = _SYSLOG_ROUTING
FORMAT = ms_strm_dev

But the data comes across with extra information, the event starts with <13> or some other two digit variable that the appliance does not seem to be expecting as well as the host name, which I am going to need them to parse to know where the event originated.

<13> EXCHANGE 03/04/2016 11:01:54 AM

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information

ComputerName=EXCHANGE.domain
TaskCategory=Logon
OpCode=Info
RecordNumber=251551525
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation

New Logon:
Security ID: domain\jdoe
Account Name: jdoe
Account Domain: domain
Logon ID: 0x91E86B45
Logon GUID: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name:

Source Network Address: 10.0.0.250
Source Port: 60790

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -

The appliance is apparently looking for the information following this regex:
(?:<(\d+)>\s?(\w{3} \d{2} \d{2}:\d{2}:\d{2}) (\S+) )?(\d{2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2}[AP]M)

I made the following regex that works
(?:<(\d+)>\s(?P\w+) (?P\d{2}\/\d{2}\/\d{4}) (?P\d{2}:\d{2}:\d{2}\ \w+))
But I don't think there is any way to change the regex the appliance uses.

I am using a Juniper JSA appliance, here is the manual, there is a Splunk section but it is not helpful, their document states to see the Splunk documentation

https://www.juniper.net/techpubs/en_US/jsa2014.4/information-products/topic-collections/jsa-configur...

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎03-03-2016 02:14 PM

Hi agarrison, do you have any heavy-forwarders, or do all of the universal forwarders send straight to the indexer(s)?

0 Karma
Reply

agarrison
Path Finder
‎03-03-2016 03:30 PM

all of the servers have the Universal forwarder installed going to the splunk indexer. I want to just forward from the indexer so I am not collecting the information twice

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎03-03-2016 02:13 PM

Hi agarrison, I've got some questions, but here is a provisional answer. If this is possible, it's outlined here: http://docs.splunk.com/Documentation/Splunk/6.3.3/Forwarding/Routeandfilterdatad

0 Karma
Reply

gfreitas
Builder
‎03-03-2016 02:01 PM

Hi agarrison,

Maybe this link from the docs can help you: http://docs.splunk.com/Documentation/Splunk/6.3.3/Forwarding/Forwarddatatothird-partysystemsd#Syslog...

0 Karma
Reply

agarrison
Path Finder
‎03-03-2016 01:02 PM

I have tried Syslog routing and TCP routing and have not managed to get the windows security events to forward as a syslog event either way. any help would be appreciated.

0 Karma
Reply

agarrison
Path Finder
‎03-03-2016 01:59 PM

The events need to be forwarded using TCP, I can get them out using UDP, but when I enter type=tcp in the outputs.conf it stops sending.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...