In this Blog post, I am writing about the:
- Splunk Deployment Locally
- Connecting Windows OS Events and Logs into Splunk
- Capturing Windows Events into Splunk Dashboard
Before Starting, let me share an Overview of Splunk.
Splunk – Splunk is a powerful SIEM Solution adopted by large enterprises. It helps organizations get a bird’s eye view of their security infrastructure through monitoring of events running in an enterprise.
Learn more about SIEM – SIEM | Beginner’s Guide
Splunk Deployment and Installation of Windows OS Events
In the Image above, as you can see Splunk has already been Installed and Deployed on my local machine.
- If you want to see Splunk Installation and Deployment step by step, you can check the blog post posted on this blog ( CyberNomadTV). I will be posting various sources and blog post links at the end of this article.
So, Making it easier for you. After entering the Splunk Instance and Dashboard. You can see the following view which is displayed in the image.
You can see various options being displayed on Splunk.
- Click on ” Add Data“ – Which will take you next option.
As you can see there as multiple data sources which you can onboard, such as:
- Cloud Computing – These Include your Cloud Instances like AWS.
- Networking – Cisco and Palo Alto Infrastructure Deployments
- Operating Systems – Windows and Linux
- Security
- Choose the Option – ” Operating System” and select Windows
Select the “Forward Data to Splunk Indexer”
It’s the default option which is being offered by Splunk Enterprise.
There are multiple deployment options offered like:
- Single Instance
- Distributed
- Splunk Cloud
- Select the “Single Instance” option
After Selecting the deployment option, you will be redirected to the Review options.
As you can see this the SPL Query being generated by Splunk.
Click “Finish” which is located at the top right corner.
This Section Includes various options to select, depending on the requirement of the organization and the need to capture various events.
As you can see options like:
- Local Event Logs
- Remote Event Logs
- Files and Directories
- HTTP Event Collector
- Local Performance Monitoring
- Active Directory Monitoring
- Local Windows Host Monitoring
- Local Windows Network Monitoring
- Local Windows Print Monitoring
I have selected – ” Local Event Logs” and Local “Windows Host Monitoring” Data Option.
After selecting the desired data source events.
You need to select ” Event logs” to get captured in Splunk.
I have selected:
- Application
- System
- Security
As you can see the ” Host Field Value” which shows my hostname.
This helps the Splunk Platform to index data and events to get categorized with the host value. The Host value must be the name of the machine from which event originates.
As you can, The Windows Event Deployment in Splunk has been successful.
The message being displayed is shown “local event logs input has been created successfully”
Further you can add data from multiple sources depending on the requirement and need of ingesting the data.
After the successful configuration of the Splunk Windows Event Installation.
This is view of the Events which is captured by Splunk in real time.
Events from local Windows machine is being captured and displayed.