Follow

Windows Event Log Ingestion - Collecting Security Events with Splunk Universal Forwarders

Configuration of Detect

Under Settings > External Connectors > Windows Event Log Ingestion use the following:

  • Type: Raw TCP
  • Data Format: xml
  • Receiving port: 4637 (fixed)
  • Server IP/hostname: IP address of the system where the Universal Forwarder is installed
  • Source Name: Friendly name of that server

image1.png

 

NOTE: List all servers that will be sending data to Detect

 

Case 1: Installation and Setup of Universal Forwarder

This is in the scenario when the Universal Forwarder is not already installed in the Domain Controller we would like to collect data from.

Download latest version of UF: https://www.splunk.com/en_us/download/universal-forwarder/

 

image2.png

 

Click on Customize Options and do as seen in the screenshots below:

image4.png

 

image3.png

 

image5.png

 

image6.png

 

image7.png

Detect requires only Security related events (This would automatically configure the inputs configuration file)

 

image8.png

Leave the deployment serve configuration empty.

image9.png

 

Configure the Hostname or IP address and port of Cognito Detect and proceed per the screenshots below. Change the port from 9997 to 4637. This is the fixed port used by Detect to received windows events.

image10.png

This would automatically configure the output configuration file to send the data to Detect on port TCP/

5424 ($SPLUNK_HOME/etc/apps/system/local/outputs.conf).

 

image11.png

 

image12.png

 

image13.png

 

Now that the installation is done. We have to modify slightly the default configuration. There is 2 options to do it. We recommend to use the first option.

Option 1: Edit UF local inputs.conf

Edit the inputs.conf file located in:

C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\

to include a few more parameters:

[WinEventLog://Security]
host=dc01
index = wineventlog_xml
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
renderXml=true

The "renderXml=true" part in bold above is what needs to be added.

NOTE: The host and index lines are not required when sending the data to Detect (This is part of defaut config).

  • To only send Event ID 4768 and 4769, add the line:
whitelist1 = EventCode="476[89]"

NOTE: If you don't whitelist anything, all Security events would be send to Detect where it would be filter and keep only Event ID 4768 and 4769.

Option 2: Using Windows TA

In this case, we are going to use the Windows add-on (Splunk_TA_windows) instead of editing the UF system files. 

  • Install Splunk Add-on for Microsoft windows on your Universal Forwarder (https://splunkbase.splunk.com/app/742/ )
  • Copy $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default/inputs.conf  into $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/inputs.conf and edit the latest file

Change this section below from :

[WinEventLog://Security]
disabled = 1
start_from = oldest
current_only = 0
0checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=true

To:

[WinEventLog://Security]
disabled = -0
evt_resolve_ad_obj = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=true
host=dc01
index = wineventlog_xml

Note: The parts in bold are not required when sending the data to Detect

  • Create the file $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/outputs.conf :
[tcpout]
defaultGroup = detect

[tcpout:detect]
server = A.B.C.D:4637
sendCookedData = false
  • Replace A.B.C.D with the IP address of Detect
  • Restart the Universal Forwarder Service

image14.png

 

Case 2: UF is already installed

In this case, an Universal Forwarder is already installed on your Domain Controller and configured to send data to your Splunk's indexers. We are going to modify the existing configuration to add another destination. The same data would be send to different destinations. 

 

Edit $SPLUNK_HOME/etc/apps/system/local/outputs.conf (for windows, it should be C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\outputs.conf) and add a destination (in red below):

[tcpout]
defaultGroup = splunk_indexer, detect

[tcpout:splunk_indexer]
server = A.B.C.D:9997
sendCookedData = false

[tcpout:detect]
server = A.B.C.D:4637
sendCookedData = false
  • Replace A.B.C.D with the IP address of Detect
  • Restart the Universal Forwarder Service

image14.png

Validation

From Detect, under Settings > External Connectors > Windows Event Log Ingestion:

  • If it is receiving data, the green check mark is displayed

image15.png

  • Otherwise, if there is no incoming data, a red icon is displayed

 

Was this article helpful?
0 out of 0 found this helpful

Download PDF

0 Comments

Article is closed for comments.