Windows Print Monitoring in Splunk 6

Splunk 6 has been out almost six months and I have not yet finished covering all the new Windows features. Let’s continue doing that by looking at print monitoring. If you have ever wanted to do charge back reporting for print jobs but lacked the data, then this is for you. The Windows Print Monitor is a new data input in the Splunk 6 Universal Forwarder (ok – it’s also available on Splunk Enterprise).

The idea of this is fairly simple. Install a Splunk 6 Universal Forwarder on your print servers, set up the data input and you will get data. There are two types of data you can get – inventory type information such as the printers, the ports …

» Continue reading

Detecting Windows XP Systems with Splunk

Windows XP is dead! Soon after Windows XP was introduced, Microsoft introduced the Trustworthy Computing Initiative – a kind of “security first” thinking that has been the hallmark of Microsoft for the last decade. Prior to the security focus, Microsoft operating systems were well known as a leaky sieve for viruses. Now, 12 years later, Windows XP is finally ready to be dropped. Well, to be honest – that happened a few years back. But many people are holding on to their XP installs for one reason or another. Now it’s time to give them up.

How can you tell who is connecting to your facilities with Windows XP systems? There are a variety of ways depending on if they …

» Continue reading

Running two Universal Forwarders on Windows

We get quite a few requests on how to run two Splunk Universal Forwarders on the same Windows host. Why would you do this? The primary reason is that you have a lab environment and want to compare one version of Splunk to another during an evaluation of a new version. You may also have two sets of files you need to ingest into Splunk and the files have differing access permissions such that Splunk needs to run as different users. It’s really an edge case and definitely not something you want to generally do in production.

In Linux, this is a fairly simple process – just install to a different directory and change the ports and you are done. …

» Continue reading

What’s new in Microsoft Apps

Splunk is exhibiting at the Microsoft Exchange Conference this week. If you are in town, please stop by booth #805 in the Eastside to see us. To coincide with this conference, we are releasing a whole slew of new apps and add-ons. Here are some of the highlights:

The Splunk App for Microsoft Exchange has undergone a huge makeover and now includes complementary functionality from the Active Directory Domain Services and Windows realm. We can correlate across those three platforms to see new and unique things. Want to understand how a Windows update affected the performance of your Exchange hosts? Now you have the information available to you. Want to arrange the app panels in ways that are useful to …

» Continue reading

Splunk EMEA Partner Kick Off – Breakthrough, Barcelona, Beavis and Beaker

BB3As I write this, I’m somewhere over France on my way back from the Splunk EMEA Partner Kick Off (PKO). We’ve been to sunny Barcelona at the Rey Juan Carlos Hotel (a place I’ve spent many a happy corporate event). After confessing to being an A-ha fan in Oslo, having frozen hair in Stockholm and apologising for being English in Paris – I foolishly decided to confess to looking like the lovechild of Beavis and Beaker from The Muppets. I’ll let you decide and comment below. Be kind!

We had about 150 partners from across the region telling their stories, sharing experiences of how their customers are using their machine data and getting a comprehensive, and hopefully useful, update from …

» Continue reading

Correlating Cisco ESA with Microsoft Exchange for Message Tracking

One of the great features of the Splunk App for Microsoft Exchange is that you can track messages to the edge. It doesn’t matter what type of devices we go through, we get to see the messages and what hops they go through. Doing that requires some knowledge of the data flow and the construction of appropriate searches.

Let’s take an example of the inbound message flow. To track an inbound message, we use a macro – msgtrack-inbound-messages. The comments in the macros.conf file tell us that we need to have a table that has the date/time, message-id, cs-ip, sender, sender-domain, recipient-count, list-of-recipients and message-size. It then goes on to show off the Microsoft Exchange version. How would we alter …

» Continue reading

Universal Forwarders and the Splunk App for Active Directory

About once a week I respond to a call or online question asking about the Splunk App for Active Directory.   Specifically, these questions ask one of two things.  The first is “can I collect the Active Directory data remotely?,” and the second is “What user shall I run the Universal Forwarder as?”  The cliff notes version is that you should not collect Active Directory data remotely, and you should install the Universal Forwarder as the system local user.  If you want more information, read on.

Let’s start with the first question – can you collect the Active Directory data remotely?  Technically, the answer is yes, but reality is the answer is that it is ill advised from a security …

» Continue reading

Which Microsoft Servers are inactive?

What can you tell me about my environment?  It’s a common enough query and Splunk seems to be able to answer them all.  The latest was this:  Can you give me a list of all the servers that are inactive?  Inactive, for the purposes of this post, means that they are bound to the domain but they have not logged into the domain in some period of time.

One of my favorite tools for answering these questions is the SA-ldapsearch commands.  Fortunately for us, Active Directory contains the timestamp.  Unfortunately for us, it contains two timestamps.  The first is called “lastLogon” and contains the time stamp that the system in question last connected to THIS domain controller.  The …

» Continue reading

Measuring Windows Group Policy Logon Performance

One of the common complaints you will hear from Windows users is that their logon takes too long.  This is especially true for Microsoft Remote Desktop Services and Citrix infrastructures.  Luckily, Microsoft is logging all the nitty-gritty details in Event Logs.  So, naturally, Splunk can give you insight into what’s going on.

Getting the Event Log Data Into Splunk

The Windows event log holding this data is found under Applications and Services Logs > Microsoft > Windows > GroupPolicy > Operational.

Splunk has a built-in Windows Event Log collection mechanism, but that mechanism will not get the raw XML data behind the scenes of these entries.  We need the extended XML data for our analysis.  So, using a little PowerShell …

» Continue reading

Forwarding Windows Event Logs to another host

Let’s face it – sometimes, it just isn’t possible to install the Universal Forwarder on all hosts.  Mistrust of new software, proof of concepts and security concerns all play into the decision to install a Universal Forwarder or not.  What do you do when you can’t install a Universal Forwarder?  In this article, we will discuss how to configure a Microsoft Windows host to forward the Windows Event Logs somewhere else.

Throughout this article, we will refer to the “source” when we mean the system that is generating the logs in the first place, and we will refer to the “collector” when we mean the system where you are centralizing the logs.

Step 1: Configure WinRM

Your first step will …

» Continue reading