WELI Splunk (syslog / legacy) configuration

This article is meant as a companion to the main Windows Event Log Ingestion (WELI) article and gives configuration advice for using WELI with Splunk using a Splunk legacy text based Syslog option. Please read that article first and if you need to use the Splunk legacy text based syslog option, then follow the steps in this article. The other Splunk option using XML is the preferred method for integration if you can use it (reasons are in the main WELI article).

Configuration of your Vectra platform

Under Settings > External Connectors > Windows Event Log Ingestion use the following:

Type: Syslog
Data Format: tcp (cannot change)
Receiving port: 4638 (fixed)
Server IP/hostname: IP address where your Heavy Forwarder is installed
- Test was done using a Splunk Heavy Forwarder in between the Indexer and Universal Forwarders.
- If you do not have a Heavy Forwarder, the same configuration may work, but this was not tested and additional changes may be required for your environment.
Additional sources can be configure if desired.

Configuration of Splunk

We assume that you are already collecting Windows security event log data using Splunk Universal Forwarder(s) in this scenario and that you are using the Splunk legacy text based format and cannot use the XML option. In this scenario, we expect that log entries look similar to the following examples:

4768 Example:

4769 Example:

You will need to modify Splunk configuration files to enable a transformation of log data to a format that Vectra can parse:

The main idea is to duplicate the WinEventLog:Security to a new sourcetype, change the default routing to avoid sending it to Splunk indexers and send 4768 and 4769 events to Vectra Detect using ISC formated messages.

Modifying "outputs.conf":

[syslog:vectra_brain]
server = 139.162.204.37:4444
type = tcp
maxEventSize = 4096
timestampformat = %b %e %H:%M:%S

Modifying "props.conf":

[WinEventLog:Security]
TRANSFORMS-clone = clone_sourcetype
 
[cloned]
SEDCMD-newline = s/[\n\r\t]/ /g
SEDCMD-eventid = s/EventCode=/EventID=/
TRANSFORMS-syslog = construct_time, rewrite_4768, rewrite_4769
TRANSFORMS-output = cloned_syslog, cloned_noTCP_routing

Modifying "transforms.conf":

[clone_sourcetype]
REGEX = .
CLONE_SOURCETYPE = cloned
 
[construct_time]
SOURCE_KEY = _time
REGEX = (.*)
FORMAT =  TimeGenerated=$1 $0
DEST_KEY = _raw
 
[rewrite_4768]
SOURCE_KEY = _raw
REGEX = (TimeGenerated=\d+).*(EventID=4768).*(Message=.*)
FORMAT = AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=1.0.14 Source=Microsoft-Windows-Security-Auditing Computer= User= Domain= $2 EventIDCode=4768 EventType=8 EventCategory=14339 RecordNumber=2093536389 $1 TimeWritten=1496854905 $3
DEST_KEY = _raw

[rewrite_4769]
SOURCE_KEY = _raw
REGEX = (TimeGenerated=\d+).*(EventID=4769).*(Message=.*)
FORMAT = AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.2.9.96 Source=Microsoft-Windows-Security-Auditing Computer=machine.local OriginatingComputer=10.1.1.1 User= Domain= $2 EventIDCode=4769 EventType=8 EventCategory=14337 RecordNumber=46278873 $1 TimeWritten=1588792601 Level=Log Always Keywords=Audit Success Task=SE_ADT_ACCOUNTLOGON_KERBEROS Opcode=Info $3
DEST_KEY = _raw
 
[cloned_noTCP_routing]
DEST_KEY = _TCP_ROUTING
FORMAT = bogus
REGEX = .
 
[cloned_syslog]
REGEX = EventID=(4768|4769)
DEST_KEY = _SYSLOG_ROUTING
FORMAT = vectra_brain

To validate your configuration is working properly, follow the instructions titled "How can I validate successful parsing of WELI data?" in the main Windows Event Log Ingestion (WELI) article.

PreviousWELI Splunk (Raw TCP / XML) configuration NextRemote Users

Last updated 46 minutes ago

Was this helpful?

Good evening

hashtagConfiguration of your Vectra platform

hashtagConfiguration of Splunk

hashtagYou will need to modify Splunk configuration files to enable a transformation of log data to a format that Vectra can parse:

Configuration of your Vectra platform

Configuration of Splunk

You will need to modify Splunk configuration files to enable a transformation of log data to a format that Vectra can parse: