Using Splunk to monitor Windows Event Logs


Jonathan Frappier Virtxpert

A few posts ago I reviewed a product called Netwrix which you can use to easily monitor your Windows and AD event logs.  The installation was easy because it was purpose built for motioning such logs, but what about if this wasn’t an option for you and you needed to centrally collect logs via some syslog type service?  In this post I’ll review setting up Windows to send its logs to Splunk which you can download here.  You can use the Enterprise Edition for up to 60 days, indexing 500MB of data, or the free version with some limitations on features such as no alerting withe the same 500MB restriction (Free vs Enterprise).

First, let’s install Splunk a server.  I am downloading for CentOS but Splunk has long installed easily on Windows as well.  The tracking they do makes direct download via wget a bit annoying, so I had to download and them move into my VM.

  • After running splunk-ver.rpm I had to navigate to /opt/splunk/bin and ran ./splunk enable boot-start because I wanted this to start automatically
  • Agree to the license agreeemnt
  • You should now see Splunk as a service if you run chkconfig –list
  • Start Splunk
Service splunk start
  • Now you should be able to navigate to http://url:8000 (if you are running iptables you’ll need to add port 8000)
  • The default username and password is admin/changeme which you’ll be forced to change.

splunkfirstlogin

  • From here, for production purposes you should secure as you normally would, Splunk supports its own user database or LDAP.  Navigate to Settings >> Access Control >> Authentication Methods to enable and configure LDAP.  For now I’ll just just use the built in splunk users, or see my post on configuring Splunk for AD Authentication.
  • Next we need to configure Splunk to listen before we can start forwarding new data.
  • Navigate to Settings >> Data >> Forwarding and Receiving
  • Under Receive Data click ‘Add New’ and set the port number, default is 9997 which seems swell to me.

Now that Splunk is up and running, lets install the Universal Forwarder for Windows.  An early tip, check the size of your Event Log files, if they are set to rotate at a fairly small size you’ll be fine, otherwise as soon as we finish this install stop the Splunk Universal Forwarder service so you can change the default current_only setting which is set to 0 (zero).  This mean it will send all historical logs which may quickly meet your 500MB quota.  Alternatively you could wipe your log files if you did not need the historical data.

  • Download the Universal Forwarder for Windows
  • Next, Accept the license agreement, select your install location or accept the default and click next
  • We did not setup a Deployment Server, so leave this page blank
  • Enter the hostname or IP of your server and the port you setup the receiver on
  • We did not setup certificates so leave this blank
  • Select whether you want to send only local data, or data from remote machines as well.  This would allow you to only install the Universal Forwarder on one machine but requires the service run as a privileged account.  The various Splunk services on Windows take up somewhere around 60MB of memory, at least on a fairly low usage system.  For purposes of this test, just select Local Data Only
  • Now you can select which logs you wish to send to Splunk as well as any additional log files in the ‘Path to monitor’ box.  I’ve enabled all Event Logs plus AD Monitoring.
  • Use the packaged Splunk Technology Add-on so it can map events in a CIM format for Splunk
  • And click Install… and click Finish
  • Now stop the SplunkForwarder service (if you want to change the default logging behavior)

Now that the service is stopped, edit C:Program FilesSplunkUniversalForwarderetcappsSplunk_TA_windowslocalinputs.conf to and change

[WinEventLog://Setup] and [WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 1
disabled = 0
start_from = oldest

You can find more detailed information on the various configuration options in the inputs.conf file here.  Now you can restart the SplunkForwarder service.  If you log into Splunk you should be able to search for something similar to host=domaincontrollername and start seeing logs.

splunksearch

Summary

This was a bit more involved than the next…next…next setup of Netwrix, but so far haven’t had to pay anything, assuming we can keep the logs under 500MB a day.  At this point, we can add more servers and search all of our logs in one place, though the free version does not allow us to setup Alerts so its not a straight trade off between Netwrix and Splunk.  In my next post, I hope to review the Splunk App for Windows and Active Directory.

Using Splunk to monitor Windows Event Logs