# WELI Splunk (syslog / legacy) configuration This article is meant as a companion to the main [Windows Event Log Ingestion (WELI) article](https://docs.vectra.ai/configuration/coverage/network-identities-weli/windows-event-log-ingestion-weli) and gives configuration advice for using WELI with Splunk using a Splunk legacy text based Syslog option. Please read that article first and if you need to use the Splunk legacy text based syslog option, then follow the steps in this article. [The other Splunk option using XML](https://docs.vectra.ai/configuration/coverage/network-identities-weli/weli-splunk-raw-tcp-xml-configuration) is the preferred method for integration if you can use it (reasons are in the main WELI article). ## Configuration of your Vectra platform Under *Settings > External Connectors > Windows Event Log Ingestion* use the following: * Type: Syslog * Data Format: tcp (cannot change) * Receiving port: 4638 (fixed) * Server IP/hostname: IP address where your Heavy Forwarder is installed * Test was done using a Splunk Heavy Forwarder in between the Indexer and Universal Forwarders. * If you do not have a Heavy Forwarder, the same configuration may work, but this was not tested and additional changes may be required for your environment. * Additional sources can be configure if desired. ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-fee5262b35d895d7dbce3b1b3fb1969e45eaf5b4%2Fd380d1d3f9a54659676b4daee1412a6a6edcf109731410e947b271cf476673f6.jpg?alt=media) ## Configuration of Splunk We assume that you are already collecting Windows security event log data using Splunk Universal Forwarder(s) in this scenario and that you are using the Splunk legacy text based format and cannot use the XML option. In this scenario, we expect that log entries look similar to the following examples: 4768 Example:\ ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-7ebc1ee65ef1f673f040025e5dd1722767a308a8%2Fe371127cb3735153629ac767793f6e391cc23e47a6c6c3066c4a7a8fff3306bb.jpg?alt=media) 4769 Example:\ ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-a4c81ca5f2ac78fc00cdb36eea4ddb18a9318c65%2F423a147971e460d9120eeab27b277fdfc6843879d4bbb38eea6838c357dc2ddc.jpg?alt=media) ### You will need to modify Splunk configuration files to enable a transformation of log data to a format that Vectra can parse: The main idea is to duplicate the WinEventLog:Security to a new sourcetype, change the default routing to avoid sending it to Splunk indexers and send 4768 and 4769 events to Vectra Detect using ISC formated messages. Modifying "outputs.conf": ```ckeditor_codeblock [syslog:vectra_brain] server = 139.162.204.37:4444 type = tcp maxEventSize = 4096 timestampformat = %b %e %H:%M:%S ``` Modifying "props.conf": ```ckeditor_codeblock [WinEventLog:Security] TRANSFORMS-clone = clone_sourcetype   [cloned] SEDCMD-newline = s/[\n\r\t]/ /g SEDCMD-eventid = s/EventCode=/EventID=/ TRANSFORMS-syslog = construct_time, rewrite_4768, rewrite_4769 TRANSFORMS-output = cloned_syslog, cloned_noTCP_routing ``` Modifying "transforms.conf": ```ckeditor_codeblock [clone_sourcetype] REGEX = . CLONE_SOURCETYPE = cloned   [construct_time] SOURCE_KEY = _time REGEX = (.*) FORMAT =  TimeGenerated=$1 $0 DEST_KEY = _raw   [rewrite_4768] SOURCE_KEY = _raw REGEX = (TimeGenerated=\d+).*(EventID=4768).*(Message=.*) FORMAT = AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=1.0.14 Source=Microsoft-Windows-Security-Auditing Computer= User= Domain= $2 EventIDCode=4768 EventType=8 EventCategory=14339 RecordNumber=2093536389 $1 TimeWritten=1496854905 $3 DEST_KEY = _raw [rewrite_4769] SOURCE_KEY = _raw REGEX = (TimeGenerated=\d+).*(EventID=4769).*(Message=.*) FORMAT = AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=7.2.9.96 Source=Microsoft-Windows-Security-Auditing Computer=machine.local OriginatingComputer=10.1.1.1 User= Domain= $2 EventIDCode=4769 EventType=8 EventCategory=14337 RecordNumber=46278873 $1 TimeWritten=1588792601 Level=Log Always Keywords=Audit Success Task=SE_ADT_ACCOUNTLOGON_KERBEROS Opcode=Info $3 DEST_KEY = _raw   [cloned_noTCP_routing] DEST_KEY = _TCP_ROUTING FORMAT = bogus REGEX = .   [cloned_syslog] REGEX = EventID=(4768|4769) DEST_KEY = _SYSLOG_ROUTING FORMAT = vectra_brain ``` To validate your configuration is working properly, follow the instructions titled "How can I validate successful parsing of WELI data?" in the main [Windows Event Log Ingestion (WELI)](https://docs.vectra.ai/configuration/coverage/network-identities-weli/windows-event-log-ingestion-weli) article.