WELI Splunk (Raw TCP / XML) configuration
Windows Event Log Ingestion - Collecting Security Events with Splunk Universal Forwarders and sending data to Vectra in Raw TCP / XML format.
This article is meant as a companion to the main Windows Event Log Ingestion (WELI) article and gives configuration advice for using WELI with Splunk using a Raw TCP/XML configuration. This is the preferred Splunk integration method.
Configuration of Detect
Under Settings > External Connectors > Windows Event Log Ingestion use the following:
Type: Raw TCP
Data Format: xml
Receiving port: 4637 (fixed)
Server IP/hostname: IP address of the system where the Universal Forwarder is installed
Source Name: Friendly name of that server
NOTE: List all servers that will be sending data to Detect
Case 1: Installation and Setup of Universal Forwarder
This is in the scenario when the Universal Forwarder is not already installed in the Domain Controller we would like to collect data from.
Download latest version of UF: https://www.splunk.com/en_us/download/universal-forwarder/
Click on Customize Options and do as seen in the screenshots below:
Detect requires only Security related events (This would automatically configure the inputs configuration file)
Leave the deployment serve configuration empty.
Configure the Hostname or IP address and port of Cognito Detect and proceed per the screenshots below. Change the port from 9997 to 4637. This is the fixed port used by Detect to received windows events.
This would automatically configure the output configuration file to send the data to Detect on port TCP/
5424 ($SPLUNK_HOME/etc/apps/system/local/outputs.conf).
Now that the installation is done. We have to modify slightly the default configuration. There is 2 options to do it. We recommend to use the first option.
**Option 1: Edit UF local inputs.conf**
Edit the inputs.conf file located in:
C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\
to include a few more parameters:
The "renderXml=true" part above is what needs to be added.
NOTE: The host and index lines are not required when sending the data to Detect (This is part of defaut config).
To only send Event ID 4768 and 4769, add the line:
NOTE: If you don't whitelist anything, all Security events would be send to Detect where it would be filter and keep only Event ID 4768 and 4769.
**Option 2: Using Windows TA**
In this case, we are going to use the Windows add-on (Splunk_TA_windows) instead of editing the UF system files.
Install Splunk Add-on for Microsoft windows on your Universal Forwarder (https://splunkbase.splunk.com/app/742/ )
Copy $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default/inputs.conf into $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/inputs.conf and edit the latest file
Change this section below from :
To:
Note: The last 2 lines are not required when sending the data to Detect
**After Using Either Option 1 or Option 2 Above**
Create the file $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local/outputs.conf :
Replace A.B.C.D with the IP address of Detect
Restart the Universal Forwarder Service
Case 2: UF is already installed
In this case, an Universal Forwarder is already installed on your Domain Controller and configured to send data to your Splunk's indexers. We are going to modify the existing configuration to add another destination. The same data would be send to different destinations.
Edit $SPLUNK_HOME/etc/apps/system/local/outputs.conf (for windows, it should be C*:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\outputs.conf*) and add a destination (in red below):
Replace A.B.C.D with the IP address of Detect
Restart the Universal Forwarder Service
Validation
From Detect, under Settings > External Connectors > Windows Event Log Ingestion:
If it is receiving data, the green check mark is displayed
Otherwise, if there is no incoming data, a red icon is displayed
Last updated
Was this helpful?