#Splunk file monitor windows
This is an essential add-on that collects the Windows Security Event Log by default for you.
#Splunk file monitor install
I generally install the Splunk Universal Forwarder on the host and deploy the Splunk_TA_windows to the host. The final step is to make that information appear in a Splunk instance. You should be able to see audit information in your Security event log. Remember that the exact process changes slightly between versions of Windows Server, so be aware that the exact paths may be slightly modified, but they will be called the same thing. Check the Successful and Failed boxes, then click on OK Enter the name of the users you wish auditing (Everyone is usually a good choice!), click on Find Now to ensure it is registered, then click on OKĨ. Right-click on the folder and select Properties.ħ. Browse to the folder you want to turn auditing on.ģ. Open up the File Explorer by right-clicking and selecting Run As Administrator.Ģ.
For each folder, following this process:ġ. You normally do this for only a select few places and users, since the information generated is very chatty. The next piece is to turn on auditing for a specific folder (and all its sub-folders and files). Once it is distributed (which happens roughly every 4 hours by default), your selected systems will have audit forced on. You can do a similar thing in group policy – create a new group policy object, edit it, open Computer Configuration and find the Local Security Policy, then adjust as described above, save it and then apply it to some machines in the normal manner. Click on OK, then close the Local Security Policy window. Ensure “Success” and “Failure” are both checkedĥ. Right-click on “Object Access Audit” and select PropertiesĤ. Open up Administrative Tools -> Local Security Policy, or run secpol.mscģ. To turn on object access audit using the local security policy, following this process:ġ. You may even have this turned on already. This can be done centrally via a group policy object or it can be done on the local machine. To turn on object access auditing, you need to alter the local security policy. You need to collect and interpret events from the system.The Shared Folder needs to have auditing enabled.Object Access Auditing needs to be turned on.We just need to do a few things to get the information into Splunk. Windows has built-in facilities for doing this. This is not an unreasonable task, but it is different in every single operating system. One of the bigger problems that we come across is auditing of file systems – specifically, you want to know who read, modified, deleted or created files in a shared area.
0 kommentar(er)
