Detecting Windows XP Systems with Splunk
Windows XP is dead! Soon after Windows XP was introduced, Microsoft introduced the Trustworthy Computing Initiative – a kind of “security first” thinking that has been the hallmark of Microsoft for the last decade. Prior to the security focus, Microsoft operating systems were well known as a leaky sieve for viruses. Now, 12 years later, Windows XP is finally ready to be dropped. Well, to be honest – that happened a few years back. But many people are holding on to their XP installs for one reason or another. Now it’s time to give them up.
How can you tell who is connecting to your facilities with Windows XP systems? There are a variety of ways depending on if they …
Running two Universal Forwarders on Windows
We get quite a few requests on how to run two Splunk Universal Forwarders on the same Windows host. Why would you do this? The primary reason is that you have a lab environment and want to compare one version of Splunk to another during an evaluation of a new version. You may also have two sets of files you need to ingest into Splunk and the files have differing access permissions such that Splunk needs to run as different users. It’s really an edge case and definitely not something you want to generally do in production.
In Linux, this is a fairly simple process – just install to a different directory and change the ports and you are done. …
What’s new in Microsoft Apps
Splunk is exhibiting at the Microsoft Exchange Conference this week. If you are in town, please stop by booth #805 in the Eastside to see us. To coincide with this conference, we are releasing a whole slew of new apps and add-ons. Here are some of the highlights:
The Splunk App for Microsoft Exchange has undergone a huge makeover and now includes complementary functionality from the Active Directory Domain Services and Windows realm. We can correlate across those three platforms to see new and unique things. Want to understand how a Windows update affected the performance of your Exchange hosts? Now you have the information available to you. Want to arrange the app panels in ways that are useful to …
Splunk EMEA Partner Kick Off – Breakthrough, Barcelona, Beavis and Beaker
As I write this, I’m somewhere over France on my way back from the Splunk EMEA Partner Kick Off (PKO). We’ve been to sunny Barcelona at the Rey Juan Carlos Hotel (a place I’ve spent many a happy corporate event). After confessing to being an A-ha fan in Oslo, having frozen hair in Stockholm and apologising for being English in Paris – I foolishly decided to confess to looking like the lovechild of Beavis and Beaker from The Muppets. I’ll let you decide and comment below. Be kind!
We had about 150 partners from across the region telling their stories, sharing experiences of how their customers are using their machine data and getting a comprehensive, and hopefully useful, update from …
Correlating Cisco ESA with Microsoft Exchange for Message Tracking
One of the great features of the Splunk App for Microsoft Exchange is that you can track messages to the edge. It doesn’t matter what type of devices we go through, we get to see the messages and what hops they go through. Doing that requires some knowledge of the data flow and the construction of appropriate searches.
Let’s take an example of the inbound message flow. To track an inbound message, we use a macro – msgtrack-inbound-messages. The comments in the macros.conf file tell us that we need to have a table that has the date/time, message-id, cs-ip, sender, sender-domain, recipient-count, list-of-recipients and message-size. It then goes on to show off the Microsoft Exchange version. How would we alter …
Universal Forwarders and the Splunk App for Active Directory
About once a week I respond to a call or online question asking about the Splunk App for Active Directory. Specifically, these questions ask one of two things. The first is “can I collect the Active Directory data remotely?,” and the second is “What user shall I run the Universal Forwarder as?” The cliff notes version is that you should not collect Active Directory data remotely, and you should install the Universal Forwarder as the system local user. If you want more information, read on.
Let’s start with the first question – can you collect the Active Directory data remotely? Technically, the answer is yes, but reality is the answer is that it is ill advised from a security …
Which Microsoft Servers are inactive?
What can you tell me about my environment? It’s a common enough query and Splunk seems to be able to answer them all. The latest was this: Can you give me a list of all the servers that are inactive? Inactive, for the purposes of this post, means that they are bound to the domain but they have not logged into the domain in some period of time.
One of my favorite tools for answering these questions is the SA-ldapsearch commands. Fortunately for us, Active Directory contains the timestamp. Unfortunately for us, it contains two timestamps. The first is called “lastLogon” and contains the time stamp that the system in question last connected to THIS domain controller. The …
Measuring Windows Group Policy Logon Performance
One of the common complaints you will hear from Windows users is that their logon takes too long. This is especially true for Microsoft Remote Desktop Services and Citrix infrastructures. Luckily, Microsoft is logging all the nitty-gritty details in Event Logs. So, naturally, Splunk can give you insight into what’s going on.
Getting the Event Log Data Into Splunk
The Windows event log holding this data is found under Applications and Services Logs > Microsoft > Windows > GroupPolicy > Operational.
Splunk has a built-in Windows Event Log collection mechanism, but that mechanism will not get the raw XML data behind the scenes of these entries. We need the extended XML data for our analysis. So, using a little PowerShell …
Forwarding Windows Event Logs to another host
Let’s face it – sometimes, it just isn’t possible to install the Universal Forwarder on all hosts. Mistrust of new software, proof of concepts and security concerns all play into the decision to install a Universal Forwarder or not. What do you do when you can’t install a Universal Forwarder? In this article, we will discuss how to configure a Microsoft Windows host to forward the Windows Event Logs somewhere else.
Throughout this article, we will refer to the “source” when we mean the system that is generating the logs in the first place, and we will refer to the “collector” when we mean the system where you are centralizing the logs.
Step 1: Configure WinRM
Your first step will …
Working with Active Directory on Splunk Universal Forwarders
Have you ever installed a Splunk Universal Forwarder and seen one or more of your Active Directory domain controllers have high CPU utilization as a result? Have you ever wondered how the Splunk Universal Forwarder translates the Security ID effortlessly into a real name you can read? In this blog post, I’m going to tell you exactly how we do the things we do with Active Directory and how you can improve the performance or reduce the load on your domain controllers.
There are two Windows pieces on the Universal Forwarder that deal with Active Directory. The first is known as admon – it emits information about your Active Directory Domain Services objects – both as a “dump” of the …