Windows Input Lab
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
Hello and welcome back to the Splunk Enterprise Certified Administrator course on Cyber. In this video, we're gonna be doing a quick lab to go over the Splunk windows inputs that are available Basically, how and what different data you can ingest in a Splunk,
um, using the split universal border. So we're gonna basically go through inputs dot com,
see what options are available. Talk at a high level on some of, um, a lot of them. If you want to know more detailed information, you'll just have to read through in boats dot com because there's just such a plethora of options for configuring these
that it's not feasible to go through all of them here on. Then we'll go through a lab where will just
deploy an input for wind event, log security application and system so we can get started and we'll just head over to this inputs. I have documentation. So the nice thing about Windows inputs in Splunk
is that they're actually built into inputs dot com so you don't need a special app or anything to get these inputs.
You can just make it a street app with an inputs dot com file. and send that to your Windows forwarders to ingest the data that you won.
If you go over to the side here, there's a Windows Inputs option, which will have all of the different inputs available. Instead of scrolling through here to show you first, I just want to touch on the fact that you can see each of these. So performance monitor the event logs
how you can use a list on blacklist, so basically selectively prune which events from the event longs you ingest because if you have any familiarity with windows logging, there's an absolute ton of these on, so it can cause a lot of license to be consumed.
And if there are events that you see your high volume and not very useful for you,
then you can use this list to kind of specify only which ones you want or to exclude specific ones. Then you can also monitor active directory Windows Registry host mon on, then a couple other options that
aren't specifically relevant. Windows. I think this is the end of the important Windows inputs so would have scroll through here just so you can get a feel for basically they'll give you the stands, a name on how to ingest. They'll give you some information about how to fill that in.
Then you'll get a list of all your attributes and some recommendations or information around how it works. Maybe possible values, etcetera, like this example
showing you kind of possible options. But you see, there's a ton of these, so most of these you won't use most of them I have never used, but it's good to know that they're there. So if a customer or if in your environment, you need to
set up some special considerations for one of these inputs, you can go back to this documentation and see if there's any options there that could help fulfill your use case.
This is gonna be your biggest one, the wind event log. And in this name, you can specify application security or system.
You'll probably use all of these. If not, you will at least definitely use security. So this is gonna be the most poor one, probably just something that's good to know.
And this is where, as I mentioned, you have your white list and blacklist capability so you can specify lists of event. I DS basically to either include or explicitly exclude and you're gonna have a number of these.
If you're just using event I ds, you won't really need to use a number of them.
But if you're using the rejects, you can only list one,
uh, rejects per
attributes. So you could have to use a number of them
then. Yeah, this is just some more information on how to set that up. I'm not going to go over that here, But you just they know that it's there. Then you have active directory monitor a demon. So this is ah, very useful input
for basically building like, ah, lists of
assets and such from active directory. The one thing to keep in mind with this one is you will get a copy of this data for each input that's deployed. So if you send this toe five domain controllers, you'll get five
duplicate sets of data. So that's something you will watch out for to not consume too much licensing. You might want to just send this toe one. I've seen some customers send this to to just toe have, ah, back up basically. So if something happened that one domain controller. The other one would still provide the list
Really up to you. But just keep that in mind when you set this up,
then when Reg Mahon and you can see this is a number of
configuration options when host Bond has a number of configuration options net mon, etcetera. And depending on your licensing and how much data in just you can tolerate,
you may want to use all of these. You may want to Onley select certain ones you may monitor specifically domain controllers over endpoints. It really depends a lot on an organization, my organization basis. So
just know that you have these options available on how you use them will be widely up to circumstance ourselves, a good one. If you want to see script execution type stuff that could be pretty useful from a security standpoint,
and I think that covers it for Windows. So we're gonna jump in and actually set up our input for my local device here.
Clear this out. So we're on our deployment server where we already have one app that sending this out are just picking up security logs for now, I can show you that really quick
all windows inputs, default inputs so you can see this is not disabled. I have a habit of putting this value in there just because if you're used to working with Windows Ta, they'll have
basically inputs dot com in the default. With all of these options filled in and default, disabled equals one.
And so you would have to actually explicitly override that In the case of making a discreet map where you're sending these out to the foreigners, you don't have to, uh, fuss with this because
the the default where this would be set to true doesn't exist in the case of a discreet up. So I didn't need this. I just did it because it's a habit of mine. But we're gonna add to this so that we can include
bar application and
system logs as well. And if you note I did not specify source type, you don't need to for this data. In fact, I would recommend avoiding that in case you make a mistake. This input is smart enough. Teoh assign its own source type, and
it's important that it set properly so that the windows ta at the
indexer or heavy for her level
can properly apply its props and transforms. So, yeah, just don't set that. Specify that stands up, tell it where to send the data and just leave it at that. So
before we reload this, let's just go back and demonstrate that,
what we have in here already.
We'll just do like, the last couple minutes. That's relatively fast.
So we have wind event logs, Security,
one of those long security. I don't have the ta installed on my search head. Otherwise, this source type field should be
change to a generic women log field.
But you can see this is what we have. And this is the auto assigned source type based on that input. So now let's reload this deployment server.
So that will refresh the server classes. And if there's
been a change, the abs which it will detect this this apple has changed. Then basically, it'll be sent out
shortly there after to the foreigners. So this is my Ford er so if we wanted Teoh see okay, when did this configuration actually go through? I could open a command prompt on
run of you tool
to see we got or even apps
do. We don't want that program.
I'm forgetting something.
Way go blown universal forward. There
Yeah, technically, I could just l esa's well on
or I could cat out the file. But I'm gonna do this instead,
so we'll just do Splunk you toll,
uh, inputs Win that log.
But we want list first.
We'll see if that works. No,
let's do list. Let's do find string.
let's to debug
We'll look for
when those inputs, I think. Yep. There we go. So now you can see that we have systems security and application settings all on here. So it has been refreshed. And now, if I were on the same search
Well, so we might not see
data if no data has been generated
for those data sources, but now we know it's being monitored.
We could do
source type in
win event, log application,
wind of it
These aren't case sensitive when you search and Splunk going in the field. So we could specify all time and hopefully we'll
Yeah. Hey, so you can see both of these worked. We are getting system and application logs now, which we were not before, So that's on a high level. Basically, how you would set that up? You could do that for any number of the in put options we saw.
You could bring a man one time if you wanted to kind of gauge what is the expected volume from these
or to review the data to determine how valuable btu inside which one of those options to implement. So that wraps up for this lab. You know, everything you need to know about bringing in Windows inputs, how to configure them, so we'll see you in the next video.
Props and Transforms
Using Props and Rekeying Indexed Fields Lab
Masking Data Lab