Splunk for Windows

This documentation applies to Splunk version 3.4.x and earlier ONLY

Splunk for Windows Management provides a variety of searches, event types and reports. These not only improve the Splunk on Windows experience, they also provide foundational support to other applications by tagging Windows data sources to be compliant with the Common Information Model.

Additionally, it comes with a management pack for Systems Center Operations Manager that extends SCOM computer objects to make them instantly searchable with Splunk.

Contents

• 8 reports
• ~62 event types, with field actions for more information
• SCOM management pack for Splunk

Screenshots

SfW screenshot 1

Report on Application Event Logs

SfW screenshot 2

Report on Registry Changes

SfW screenshot 3

Display of WMI Processor Data

Installing Splunk for Windows Management

To install the Splunk for Windows Management application, you can either download it directly from within Splunk's admin UI or download and install it manually.

To install it via your Splunk Admin UI, go to Splunk -> Admin and select Applications. Then browse Splunkbase - or optionally search for Windows - and select the Splunk for Windows Management app for installation. You will need to restart your Splunk for the event typing to take effect.

To install it manually, download the application from Splunkbase here and save it to your local hard drive. Although it has a .spl extension, it can be safely unpacked with any tarball compatible tool. If you need one, more information can be found at gzip.org.

Once opened, you need to copy the files in the splunkforwindows directory to your %SPLUNK_HOME%\etc\apps. If you followed the default install path, that's C:\Program Files\Splunk\etc\apps.

Once copied, you'll need to restart Splunk.

Installing the Splunk Management Pack for SCOM

Installing the Splunk MP extension to SCOM requires three steps - modifying your SCOM console, installing your SCOM MP, and preparing Splunk for SCOM integration. Because your Splunk, SCOM system and SCOM console could be on any number or combination of machines, this must be a manual process.

Install the SCOM Client components

Copy the contents of the %splunk%\etc\apps\splunkforwindows\client to the desired host with the SCOM management console installed.

Execute install_splunksearch.bat

Optionally, you can manually follow the steps recorded in install_splunksearch.bat.

Install the SCOM Server supporting files

Copy the contents of the %splunk%\etc\apps\splunkforwindows\management_pack to the SCOM server.

Execute install_splunkSCOM.bat

Optionally, you can manually follow the steps recorded in install_splunkSCOM.bat.

Prepare Splunk for SCOM integration

Copy the splunkforwindows\for_scom\XMLResources.py to: %splunkhome%\Python-2.5\Lib\site-packages\splunk\appserver\oxiclean

If you followed the default installation, that would be: C:\Program Files\Splunk\Python-2.5\Lib\site-packages\splunk\appserver\oxiclean

You will then need to restart splunkd and splunkweb.

Configuration

Splunk for Windows Management WMI event types are the only additional configuration recommended. If you open %splunk%\etc\apps\splunkforwindows\default\wmi.conf you can optionally choose to point those WMI collections at additional hosts.

To do that, add the command host = followed by the NetBIOS or fully qualified domain name (aka the DNS name) of the hosts you like. There is no practical limit to the number of hosts you can query - the bottleneck is the resources used by the Windows OS starting the WMI API for each polled host. If you are going to be polling hundreds of Windows hosts, you should test your indexing throughput and Windows system resource utilization with a sub-set before final roll-out.

More information is available in the Splunk documentation under WMI, or in %Splunk_home%\etc\apps\windows\default\wmi.conf

Field Actions

One field action is defined for event logs, that will point you to more information on www.ultimatewindowssecurity.com if you follow a highlighted security event log item.

Event Tags

There are over 60 event tags for Windows event logs that are designed to make cross-platform search easier and act as a foundational naming scheme for other Splunk apps, such as Splunk for PCI, Splunk for VMWare and Splunk for Change Management.

If you are using any of these applications, you are encouraged to first install this application on your Windows hosts.

File System Changes

Have a look at Deploy:AuditFilereadsWindows to see how to setup file system change monitoring on Windows systems.

Further Links

• Wiki article on using Snare versus WMI versus Splunk remote forwarding
• Wiki article on running multiple instances of Splunk on a single Window box
• Wiki article on importing .evt files into Splunk
• Wiki article on auditing disk reads and other disk actions using Splunk
• Wiki article on auditing disk reads and other disk actions using Splunk
• Download Splunk for Vmware
• Download Splunk for Change Management