Monitoring Windows Event Logs in Splunk

Monitoring Windows Event Logs in Splunk

By: Karl Cepull  | Senior Director, Operational Intelligence

 

Splunk is a widely accepted tool for log aggregation and analysis in both security and IT Ops use cases. Splunk’s add-ons for Microsoft Windows, including Exchange and Active Directory, rely on Windows Event Logs being available and a forwarder used to send those logs into Splunk. Windows logs provide a wealth of information with every action taken. The problem is the volume of information available means ingesting a large amount of non-relevant data into Splunk. Looking at a couple of general use cases, here is a list of Windows Event IDs to add when looking for specific information.

Use Case 1: Security

Windows Security can include several of the other use cases listed below. These are Event IDs that indicate suspicious or unusual activity.

EventID Priority Description Sub-Codes
1102 High The audit log was cleared. Probably want to investigate why.
4767 High Account Unlocked
4740 High Account Locked Out
4771 High Kerberos pre-authentication failed
4772 High A Kerberos authentication ticket request failed
4820 High Kerberos Ticket-Granting-Ticket was denied because the device does not meet the access control restrictions. 0x12 (account disabled), 0x18 (bad password), 0x6 (bad username)
4625 High Logon Failure. Sub-codes begin with 0xC00000. 64 (user doesn’t exist), 6A (bad password), 234 (user currently locked out), 72 (account disabled), 6F (logon outside of permitted times), 193 (account expiration)
4719 Medium System audit policy was changed.
4728 Medium A user was added to a privileged global group
4732 High A user was added to a privileged local group
4756 High A user was added to a privileged universal group
4782 High Password hash an account was accessed

Use Case 2: IT Operations

While there are several different Event IDs to monitor for all aspects of IT Operations, a few important ones are listed here. These are events a system administration should pay special attention to.

EventID Priority Description
1101 Medium Audit events have been dropped by transport. Possibly dirty shutdown.
1104 High The security log is now full. There will be holes in your logs if not fixed.
4616 High System time was changed.
4657 High A registry value was changed.
4697 Medium An attempt was made to install a service.

Use Case 3: Monitor User Accounts

A typical user may appear in Windows logs for logging on and off a system. Other user account events should not appear regularly for any one user. Without a larger planned event, where planned account activity is occurring, most of these Event IDs should remain low. Log-on and log-off events are listed here as low priority. Others are higher.

EventID Priority Description
4720 High User account created
4723 Medium User changed own password
4724 Medium Privileged user changed their password
4725 High Account disabled
4738 High Account changed
4726 High Account deleted
4781 Medium Account name changed
4624 Low Successful logon
4647 Low User-initiated logoff

Use Case 4: Scheduled Tasks

In a recent security scare, the threat was seen creating scheduled tasks to perform actions that compromised data security. Like all other actions, scheduled tasks are logged in Windows Events, and can be added to Splunk.

EventID Priority Description
4698 Medium A scheduled task was created
4699 Medium A scheduled task was deleted
4700 Medium A scheduled task was enabled
4701 Medium A scheduled task was disabled
4702 Medium A scheduled task was updated

Use Case 5: Windows Firewall

Windows has a built-in firewall. While this may be disabled by system administrators, environments where the firewall is active can use the event logs to monitor for suspicious activity. Unexpected and unauthorized rules and policies changes are strong indicators of threat, along with unapproved stopping of firewall services.

EventID Priority Description
4946 High A rule was added to the Windows Firewall exception list
4947 High A rule was modified in the Windows Firewall exception list
4950 Medium A setting was changed in Windows Firewall
4954 Medium Group Policy settings for Windows Firewall was changed
5025 High The Windows Firewall service was stopped
5031 High Windows Firewall blocked an application from accepting incoming traffic

Use Case 6: Windows Filtering Platform

Windows Filtering Platform is a set of API and system services that provide a platform for creating network filtering applications. It’s important to keep an eye on these events to make sure any unexpected or unapproved actions are captured.

EventID Priority Description
5146 High The Windows Filtering Platform has blocked a packet.
5147 High A more restrictive Windows Filtering Platform filter has blocked a packet.
5148 High The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
5149 High The DoS attack has subsided and normal processing is being resumed.
5150 High The Windows Filtering Platform has blocked a packet.
5151 High A more restrictive Windows Filtering Platform filter has blocked a packet.
5152 High The Windows Filtering Platform blocked a packet.
5153 High A more restrictive Windows Filtering Platform filter has blocked a packet.
5154 Medium The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
5155 High The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
5156 Medium The Windows Filtering Platform has allowed a connection.
5157 High The Windows Filtering Platform has blocked a connection.
5158 Medium The Windows Filtering Platform has permitted a bind to a local port.
5159 Medium The Windows Filtering Platform has blocked a bind to a local port.
5447 High A Windows Filtering Platform filter was changed.

This is not an exhaustive list of Windows Event Codes, nor is it a complete list for each use case. It’s a starting point for observation and can help to limit the number of events ingested by Splunk from Windows. Start by allowing the Event IDs listed above. As specific use cases develop, a deeper exploration of other Event IDs can help expand Splunk’s scope and effectiveness.

Adding Event IDs to Splunk

The easiest way to monitor Windows Event Logs in Splunk is to use the Splunk Add-On for Microsoft Windows. After installing the app, create a folder named “local” inside the app. Then, copy inputs.conf from the app’s “Default” folder and paste it in the local folder. Within each of the input stanzas, an allowed list can be added based on the pre-defined categories within the add-on.

[WinEventLog://Application]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

renderXml = true

[WinEventLog://Security]

disabled = 0

start_from = oldest

current_only = 0

evt_resolve_ad_obj = 1

checkpointInterval = 5

blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"

blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"

renderXml = true

[WinEventLog://System]

disabled = 0

start_from = oldest

current_only = 0

checkpointInterval = 5

renderXml = true

Based on the use cases above, add the setting “whitelist=” to the stanza, followed by a comma-separated list of Event IDs. For example, to monitor “System,” use the IT Ops Event IDs. The stanza would then look like this:

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml = true
whitelist = 1101, 1104, 4616, 4657, 4697

The same can be done with the other input stanzas for more comprehensive coverage of Windows Event Logs.

Contact us for more tips and tricks on monitoring Windows Event Logs with Splunk!