Detecting Windows XP Systems with Splunk

Windows XP is dead! Soon after Windows XP was introduced, Microsoft introduced the Trustworthy Computing Initiative – a kind of “security first” thinking that has been the hallmark of Microsoft for the last decade. Prior to the security focus, Microsoft operating systems were well known as a leaky sieve for viruses. Now, 12 years later, Windows XP is finally ready to be dropped. Well, to be honest – that happened a few years back. But many people are holding on to their XP installs for one reason or another. Now it’s time to give them up.

How can you tell who is connecting to your facilities with Windows XP systems? There are a variety of ways depending on if they …

» Continue reading

Running two Universal Forwarders on Windows

We get quite a few requests on how to run two Splunk Universal Forwarders on the same Windows host. Why would you do this? The primary reason is that you have a lab environment and want to compare one version of Splunk to another during an evaluation of a new version. You may also have two sets of files you need to ingest into Splunk and the files have differing access permissions such that Splunk needs to run as different users. It’s really an edge case and definitely not something you want to generally do in production.

In Linux, this is a fairly simple process – just install to a different directory and change the ports and you are done. …

» Continue reading

What’s new in Microsoft Apps

Splunk is exhibiting at the Microsoft Exchange Conference this week. If you are in town, please stop by booth #805 in the Eastside to see us. To coincide with this conference, we are releasing a whole slew of new apps and add-ons. Here are some of the highlights:

The Splunk App for Microsoft Exchange has undergone a huge makeover and now includes complementary functionality from the Active Directory Domain Services and Windows realm. We can correlate across those three platforms to see new and unique things. Want to understand how a Windows update affected the performance of your Exchange hosts? Now you have the information available to you. Want to arrange the app panels in ways that are useful to …

» Continue reading

Splunk on Windows, Clustering and IPv6

We had fun this week in our Seattle office setting up clustering for Splunk on Windows on a pure-IPv6 network. IPv6 has been gaining acceptance more outside the US than within for quite a number of years now and I am one of those optimists that expects that we will reach the tipping point soon where IPv6 adoption becomes the norm rather than the exception.

We had a set of four systems. On our indexer tier were a set of three indexers – one cluster master and two cluster slaves. We also had a separate search head. Each of these systems was running Windows Server 2008R2 and had the latest version of Splunk Enterpise 6 installed. The requirement was …

» Continue reading

Correlating Cisco ESA with Microsoft Exchange for Message Tracking

One of the great features of the Splunk App for Microsoft Exchange is that you can track messages to the edge. It doesn’t matter what type of devices we go through, we get to see the messages and what hops they go through. Doing that requires some knowledge of the data flow and the construction of appropriate searches.

Let’s take an example of the inbound message flow. To track an inbound message, we use a macro – msgtrack-inbound-messages. The comments in the macros.conf file tell us that we need to have a table that has the date/time, message-id, cs-ip, sender, sender-domain, recipient-count, list-of-recipients and message-size. It then goes on to show off the Microsoft Exchange version. How would we alter …

» Continue reading

Correlating Windows and VMware Host Information

When you install a new virtual host on VMware, you get to give it any name you want. The name has nothing to do with what is running on the host. How can we go from the Windows information to the VMware information? We’re here to help.

Let’s take a look at the VMware side of things for a moment. If you have the Splunk App for VMware installed, then you likely already have this information. The sourcetype is “vmware:inv:vm” and there is one event for every virtual host in there. Since we need a common field on which to correlate, I’m going to choose the network interface MAC Address. The “vmware:inv:vm” event is JSON data, so we need to …

» Continue reading

Introducing the Cisco Security Suite for Splunk 6

I know.  I normally blog about Microsoft stuff.  Recently, however, I’ve been helping out on another project – updating the Cisco Security Suite to be compatible with Splunk 6.  The Cisco Security Suite is the most downloaded app on Splunkbase behind the *Nix and Windows apps and exposes Cisco specific information about your Cisco specific security devices.

We had many aims for this project, aside from just upgrading everything to work with Splunk 6.  We wanted it to use the Technology Add-ons that you may already have from a deployment of Enterprise Security.  If you were considering an upgrade to Enterprise Security in the future (and you should – it’s awesome), then we wanted the data you have already …

» Continue reading

Universal Forwarders and the Splunk App for Active Directory

About once a week I respond to a call or online question asking about the Splunk App for Active Directory.   Specifically, these questions ask one of two things.  The first is “can I collect the Active Directory data remotely?,” and the second is “What user shall I run the Universal Forwarder as?”  The cliff notes version is that you should not collect Active Directory data remotely, and you should install the Universal Forwarder as the system local user.  If you want more information, read on.

Let’s start with the first question – can you collect the Active Directory data remotely?  Technically, the answer is yes, but reality is the answer is that it is ill advised from a security …

» Continue reading

Which Microsoft Servers are inactive?

What can you tell me about my environment?  It’s a common enough query and Splunk seems to be able to answer them all.  The latest was this:  Can you give me a list of all the servers that are inactive?  Inactive, for the purposes of this post, means that they are bound to the domain but they have not logged into the domain in some period of time.

One of my favorite tools for answering these questions is the SA-ldapsearch commands.  Fortunately for us, Active Directory contains the timestamp.  Unfortunately for us, it contains two timestamps.  The first is called “lastLogon” and contains the time stamp that the system in question last connected to THIS domain controller.  The …

» Continue reading

Forwarding Windows Event Logs to another host

Let’s face it – sometimes, it just isn’t possible to install the Universal Forwarder on all hosts.  Mistrust of new software, proof of concepts and security concerns all play into the decision to install a Universal Forwarder or not.  What do you do when you can’t install a Universal Forwarder?  In this article, we will discuss how to configure a Microsoft Windows host to forward the Windows Event Logs somewhere else.

Throughout this article, we will refer to the “source” when we mean the system that is generating the logs in the first place, and we will refer to the “collector” when we mean the system where you are centralizing the logs.

Step 1: Configure WinRM

Your first step will …

» Continue reading