Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Splunk App for Windows Event Logs

Current version: 1.4.1 - Download

The Windows Event Log App assumes that Splunk is collecting information from Windows servers and workstation via one of the following methods:

hy Splunk Universal Forwarder installed on the source computer
hy Windows Event Log Forwarding configured on the source computer combined with Splunk Universal Forwarder on the collector computer
hy Remote Windows Event Log collection via WMI as Splunk input

All these methods will collect the events and either collect them in the "wineventlog" Splunk index or record them in the default index with source the source set as "*WinEventLog*" (notice the wildcards). The app analyzes the entries matching these criteria (index="wineventlog" OR source=*WinEventLog*). This matches the defaults used by the Universal Forwarder, the collection of local Windows event logs and the collection via WMI.

To collect the logs from remote computers without installing the Universal Forwarded on each computer, configure the forwarding of event logs to central location using the Windows built-in event forwarding. See Configure Computers to Forward and Collect Events for details on how to configure a computer as a collector of logs.

If not data is displayed, please verify that the Universal Forwarder is installed properly and that the all the Windows event logs are sent to the "wineventlog" index (or the WinEventLog* sources).

If the data is stored in a different index, the user can update the macros.conf [event_sources] section. In order to create the proper indexes, we recommend the installation of the Splunk Add-on for Microsoft Windows app.

The Interesting Processes section from the Processes dashboard is partially based on a presentation by Michael Gough from "The Top 10 Windows Event ID's Used To Catch Hackers In The Act". See for the presentation slides and information on how to enable the auditing of processes, including command-line based ones. The list of "interesting processes" is based on a study by JPCERT CC (Japan Computer Emergency Response Team Coordination Center) on detecting lateral movement through tracking of event logs. The list is stored in C:\Program Files\Splunk\etc\apps\eventid\lookups\interesting_processes.csv and it can be adjusted with a text editor if needed.

The XML dashboard is design to report Windows events rendered from the XML by using the renderXML stanza. The renderXML option reduced the volume of data to about 25% of the regular events, however some details such as the full description of the event are no longer recorded. See Feature Overview: XML Event Logs for more details.



Audit Events

The Processes dashboard is based on a sample configuration described by Michael Gough from Malware Archeology in his Windows 10 Top Events To Monitor presentation. See the presentation for details on how to configure the audit of processes, including commands submitted froma command line prompt. For full functionality, enable the audit of the full command line arguments as described in Command-Line Process Auditing.


Interesting Events

Each of the dashboard can be set as an alarm (i.e. notifications when a certain number of failed logins are recorded, when certain processes are executed, etc).

Send any suggestions and questions to [email protected] We can also provide advice in setting up the Splunk receiver for the Universal Forwarder.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.