# WELI Splunk (Raw TCP / XML) configuration
This article is meant as a companion to the main [Windows Event Log Ingestion (WELI) article](https://docs.vectra.ai/configuration/coverage/network-identities-weli/windows-event-log-ingestion-weli) and gives configuration advice for using WELI with Splunk using a Raw TCP/XML configuration. This is the preferred Splunk integration method.
## Configuration of Detect
Under Settings > External Connectors > Windows Event Log Ingestion use the following:
* Type: Raw TCP
* Data Format: xml
* Receiving port: 4637 (fixed)
* Server IP/hostname: IP address of the system where the Universal Forwarder is installed
* Source Name: Friendly name of that server
**NOTE**: List all servers that will be sending data to Detect
### Case 1: Installation and Setup of Universal Forwarder
This is in the scenario when the Universal Forwarder is not already installed in the Domain Controller we would like to collect data from.
*Download latest version of UF:* [*https://www.splunk.com/en\_us/download/universal-forwarder/*](https://www.splunk.com/en_us/download/universal-forwarder/)
Click on **Customize** **Options** and do as seen in the screenshots below:
Detect requires only Security related events (This would automatically configure the *inputs* configuration file)
*Leave the deployment serve configuration empty.*
Configure the Hostname or IP address and port of Cognito Detect and proceed per the screenshots below. Change the port from 9997 to **4637**. This is the fixed port used by Detect to received windows events.
This would automatically configure the output configuration file to send the data to Detect on port TCP/
5424 (*$SPLUNK\_HOME/etc/apps/system/local/outputs.conf*).
Now that the installation is done. We have to modify slightly the default configuration. There is 2 options to do it. We recommend to use the first option.
**Option 1: Edit UF local inputs.conf**
Edit the inputs.conf file located in:
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\\
to include a few more parameters:
```language-markup
[WinEventLog://Security]
host=dc01
index = wineventlog_xml
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
renderXml=true
```
The "renderXml=true" part above is what needs to be added.
**NOTE: The host and index lines are not required when sending the data to Detect (This is part of defaut config).**
* To only send Event ID 4768 and 4769, add the line:
```language-markup
whitelist1 = EventCode="476[89]"
```
**NOTE**: If you don't whitelist anything, all Security events would be send to Detect where it would be filter and keep only Event ID 4768 and 4769.
**Option 2: Using Windows TA**
In this case, we are going to use the Windows add-on (Splunk\_TA\_windows) instead of editing the UF system files.
* Install Splunk Add-on for Microsoft windows on your Universal Forwarder ( )
* Copy $SPLUNK\_HOME/etc/apps/Splunk\_TA\_windows/default/inputs.conf into $SPLUNK\_HOME/etc/apps/Splunk\_TA\_windows/local/inputs.conf and edit the latest file
Change this section below from :
```language-markup
[WinEventLog://Security]
disabled = 1
start_from = oldest
current_only = 0
0checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=true
```
To:
```language-markup
[WinEventLog://Security]
disabled = -0
evt_resolve_ad_obj = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=true
host=dc01
index = wineventlog_xml
```
**Note: The last 2 lines are not required when sending the data to Detect**
**After Using Either Option 1 or Option 2 Above**
Create the file $SPLUNK\_HOME/etc/apps/Splunk\_TA\_windows/local/outputs.conf :
```language-markup
tcpout]
defaultGroup = detect
[tcpout:detect]
server = A.B.C.D:4637
sendCookedData = false
```
```
```
* Replace A.B.C.D with the IP address of Detect
* Restart the Universal Forwarder Service
### Case 2: UF is already installed
In this case, an Universal Forwarder is already installed on your Domain Controller and configured to send data to your Splunk's indexers. We are going to modify the existing configuration to add another destination. The same data would be send to different destinations.
Edit $SPLUNK\_HOME/etc/apps/system/local/outputs.conf (for windows, it should be C\*:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\outputs.conf\*) and add a destination (in red below):
```language-markup
[tcpout]
defaultGroup = splunk_indexer, detect
[tcpout:splunk_indexer]
server = A.B.C.D:9997
sendCookedData = false
[tcpout:detect]
server = A.B.C.D:4637
sendCookedData = false
```
* Replace A.B.C.D with the IP address of Detect
* Restart the Universal Forwarder Service
### Validation
From Detect, under **Settings > External Connectors > Windows Event Log Ingestion**:
* If it is receiving data, the green check mark is displayed
* Otherwise, if there is no incoming data, a red icon is displayed