Windows Input Lab

00:00

Hello and welcome back to the Splunk Enterprise Certified Administrator course on Cyber. In this video, we're gonna be doing a quick lab to go over the Splunk windows inputs that are available Basically, how and what different data you can ingest in a Splunk,

00:16

um, using the split universal border. So we're gonna basically go through inputs dot com,

00:23

see what options are available. Talk at a high level on some of, um, a lot of them. If you want to know more detailed information, you'll just have to read through in boats dot com because there's just such a plethora of options for configuring these

00:39

that it's not feasible to go through all of them here on. Then we'll go through a lab where will just

00:46

deploy an input for wind event, log security application and system so we can get started and we'll just head over to this inputs. I have documentation. So the nice thing about Windows inputs in Splunk

01:03

is that they're actually built into inputs dot com so you don't need a special app or anything to get these inputs.

01:10

You can just make it a street app with an inputs dot com file. and send that to your Windows forwarders to ingest the data that you won.

01:19

If you go over to the side here, there's a Windows Inputs option, which will have all of the different inputs available. Instead of scrolling through here to show you first, I just want to touch on the fact that you can see each of these. So performance monitor the event logs

01:38

how you can use a list on blacklist, so basically selectively prune which events from the event longs you ingest because if you have any familiarity with windows logging, there's an absolute ton of these on, so it can cause a lot of license to be consumed.

01:56

And if there are events that you see your high volume and not very useful for you,

02:01

then you can use this list to kind of specify only which ones you want or to exclude specific ones. Then you can also monitor active directory Windows Registry host mon on, then a couple other options that

02:19

aren't specifically relevant. Windows. I think this is the end of the important Windows inputs so would have scroll through here just so you can get a feel for basically they'll give you the stands, a name on how to ingest. They'll give you some information about how to fill that in.

02:38

Then you'll get a list of all your attributes and some recommendations or information around how it works. Maybe possible values, etcetera, like this example

02:50

showing you kind of possible options. But you see, there's a ton of these, so most of these you won't use most of them I have never used, but it's good to know that they're there. So if a customer or if in your environment, you need to

03:07

set up some special considerations for one of these inputs, you can go back to this documentation and see if there's any options there that could help fulfill your use case.

03:16

This is gonna be your biggest one, the wind event log. And in this name, you can specify application security or system.

03:23

You'll probably use all of these. If not, you will at least definitely use security. So this is gonna be the most poor one, probably just something that's good to know.

03:35

And this is where, as I mentioned, you have your white list and blacklist capability so you can specify lists of event. I DS basically to either include or explicitly exclude and you're gonna have a number of these.

03:52

If you're just using event I ds, you won't really need to use a number of them.

03:55

But if you're using the rejects, you can only list one,

03:59

uh, rejects per

04:00

attributes. So you could have to use a number of them

04:09

then. Yeah, this is just some more information on how to set that up. I'm not going to go over that here, But you just they know that it's there. Then you have active directory monitor a demon. So this is ah, very useful input

04:25

for basically building like, ah, lists of

04:30

assets and such from active directory. The one thing to keep in mind with this one is you will get a copy of this data for each input that's deployed. So if you send this toe five domain controllers, you'll get five

04:46

duplicate sets of data. So that's something you will watch out for to not consume too much licensing. You might want to just send this toe one. I've seen some customers send this to to just toe have, ah, back up basically. So if something happened that one domain controller. The other one would still provide the list

05:05

Really up to you. But just keep that in mind when you set this up,

05:11

then when Reg Mahon and you can see this is a number of

05:14

configuration options when host Bond has a number of configuration options net mon, etcetera. And depending on your licensing and how much data in just you can tolerate,

05:27

you may want to use all of these. You may want to Onley select certain ones you may monitor specifically domain controllers over endpoints. It really depends a lot on an organization, my organization basis. So

05:41

just know that you have these options available on how you use them will be widely up to circumstance ourselves, a good one. If you want to see script execution type stuff that could be pretty useful from a security standpoint,

05:56

and I think that covers it for Windows. So we're gonna jump in and actually set up our input for my local device here.

06:04

Clear this out. So we're on our deployment server where we already have one app that sending this out are just picking up security logs for now, I can show you that really quick

06:17

all windows inputs, default inputs so you can see this is not disabled. I have a habit of putting this value in there just because if you're used to working with Windows Ta, they'll have

06:34

basically inputs dot com in the default. With all of these options filled in and default, disabled equals one.

06:43

And so you would have to actually explicitly override that In the case of making a discreet map where you're sending these out to the foreigners, you don't have to, uh, fuss with this because

06:56

the the default where this would be set to true doesn't exist in the case of a discreet up. So I didn't need this. I just did it because it's a habit of mine. But we're gonna add to this so that we can include

07:14

bar application and

07:17

system logs as well. And if you note I did not specify source type, you don't need to for this data. In fact, I would recommend avoiding that in case you make a mistake. This input is smart enough. Teoh assign its own source type, and

07:38

it's important that it set properly so that the windows ta at the

07:46

indexer or heavy for her level

07:47

can properly apply its props and transforms. So, yeah, just don't set that. Specify that stands up, tell it where to send the data and just leave it at that. So

08:01

before we reload this, let's just go back and demonstrate that,

08:07

uh,

08:09

what we have in here already.

08:15

We'll just do like, the last couple minutes. That's relatively fast.

08:24

So we have wind event logs, Security,

08:26

one of those long security. I don't have the ta installed on my search head. Otherwise, this source type field should be

08:35

change to a generic women log field.

08:37

But you can see this is what we have. And this is the auto assigned source type based on that input. So now let's reload this deployment server.

08:48

So that will refresh the server classes. And if there's

08:52

been a change, the abs which it will detect this this apple has changed. Then basically, it'll be sent out

09:01

shortly there after to the foreigners. So this is my Ford er so if we wanted Teoh see okay, when did this configuration actually go through? I could open a command prompt on

09:13

run of you tool

09:16

to see we got or even apps

09:20

do. We don't want that program.

09:24

I'm forgetting something.

09:30

Way go blown universal forward. There

09:35

been?

09:37

Yeah, technically, I could just l esa's well on

09:41

or I could cat out the file. But I'm gonna do this instead,

09:45

so we'll just do Splunk you toll,

09:50

uh, inputs Win that log.

09:56

But we want list first.

09:58

We'll see if that works. No,

10:01

let's do list. Let's do find string.

10:07

Um,

10:09

let's to debug

10:13

find string.

10:18

We'll look for

10:20

when those inputs, I think. Yep. There we go. So now you can see that we have systems security and application settings all on here. So it has been refreshed. And now, if I were on the same search

10:37

Well, so we might not see

10:41

data if no data has been generated

10:43

for those data sources, but now we know it's being monitored.

10:50

We could do

10:54

source type in

11:00

win event, log application,

11:05

wind of it

11:07

system.

11:11

These aren't case sensitive when you search and Splunk going in the field. So we could specify all time and hopefully we'll

11:20

find something.

11:20

Yeah. Hey, so you can see both of these worked. We are getting system and application logs now, which we were not before, So that's on a high level. Basically, how you would set that up? You could do that for any number of the in put options we saw.

11:37

You could bring a man one time if you wanted to kind of gauge what is the expected volume from these