I’ve just got back from .Conf 2012 in Las Vegas, and it was a great conference. I had a great time and met some great customers. We had a booth in the Splunk Labs area demonstrating both the Splunk for Microsoft Exchange app and the Splunk for Microsoft Windows Active Directory app. We spoke to a lot of customers, many of whom were implementing the apps, and even more thought they should be implementing them after seeing the demo. We did two very technical sessions on best practices for deploying each app. We found that too many gigabytes give you a hangover. And yes the rumors are true, there was a monkey.
While at the booth and after the sessions, I answered some fairly common questions, so I’m going to start blogging a little more frequently to share those questions and of course my answers. My first one is this: “How do I alter the Splunk_TA_windows to log to winevents (as recommended) instead of main?”
The Splunk_TA_windows, also known as the Splunk Technology Addon for Windows, collects and parses common logs from Microsoft Windows hosts, such as the Windows Event Log for Security. The Splunk App for Microsoft Windows Active Directory also uses the Windows Event Log for Security to gather audit information, so it was a good idea to not duplicate effort here. Out of the box (or, in this case, as downloaded from Splunkbase) the Splunk_TA_windows stores these windows event logs in the default index, known as “main”.
The best practice for the Splunk App for Active Directory is to store these common windows event logs in a separate index – for example, “winevents” is used to store other AD related windows event logs and so would be an ideal place.
Splunk recommends the use of a Deployment Server to manage the apps pushed out to the forwarders, and so we will assume this best practice. In this case, the Splunk_TA_windows is stored on the deployment server in $SPLUNK_HOME/etc/deployment-apps, and we will be editing the endpoint files in this location.
Our process has two basic steps:
- Configure Splunk_TA_windows to store events in the different index
- Configure Splunk_for_ActiveDirectory to look for events in a different index
Yep – only two steps. Very straight forward. Let’s start with Step 1 – configuring Splunk_TA_windows to store events in the different index. To do this, create a file in $SPLUNK_HOME/etc/deployment-apps/Splunk_TA_windows/local called inputs.conf and add the following entries:
Save this file, then push out the changes with:
splunk refresh deploy-clients
The Windows Event Logs should now flow into the winevents index. Of course, you should make sure you have created the winevents index prior to pushing out, but if you have installed the Splunk_for_ActiveDirectory app, then that’s already taken care of.
Our second step is to configure the Splunk_for_ActiveDirectory app to look for these Windows Event Logs in the new index. To do this, we need to create a new file under $SPLUNK_HOME/etc/apps/Splunk_for_ActiveDirectory/local called eventtypes.conf, with the following contents:
search = index=winevents source=WinEventLog:Application
search = index=winevents source=WinEventLog:System
search = index=winevents source=WinEventLog:Security
Save the file, and then refresh the server. You can do this simply (but slowly) by restarting through the Manager or with the “splunk restart” command-line version. Alternatively, you can log on to the web interface as an Administrator, then open another tab and browse to http://splunk-server:8000/debug/refresh – this will refresh the event types without restarting.
If you already have data within the main index, you can use “(index=main OR index=winevents)” in the search strings until the data is no longer useful. This will prevent you having to move the events.
As is always the case, you can always send your feedback for the Microsoft Solutions apps to me at Microsoft@splunk.com.