Example: Set Up Forwarding to SecureWorks
Suppose SecureWorks is already in place in your environment and is used for tracking the operation of Syslog-enabled systems. For Windows network auditing, you use InTrust and Change Auditor. You would like to extend the scope of your SecureWorks coverage to include suspicious user activity in the Windows network.
Make Sure You Have the Data
To capture suspicious administrative activity, you would need to look at the following:
- User session events provided by InTrust
These events provide a deep insight into user logons, logoffs and sessions. - Change Auditor for Active Directory log
This log provides fine-grained information about all changes to Active Directory.
Confirm that these data sources are used by the collections that work with your repository.
Configure the Forwarding
You need to enable forwarding for the repository that you have chosen for this purpose. Go to the properties of the repository and, on the Forwarding tab, select Enable forwarding and specify where the messages should go.
After you have completed the collection setup, confirm that the forwarding is really working. Wait a few minutes for the new settings to take effect. After that, log on to some of the computers that InTrust is watching, and try to make Active Directory changes. Then check on the SecureWorks appliance whether it has registered your activity.
Example: Set Up Forwarding to Splunk
Suppose Splunk is deployed in your environment for analyzing Windows security events. You would like to use InTrust as the forwarding mechanism. The data you need goes to a repository that is set aside specifically for forwarding purposes. The repository has only Windows Security log data.
Get Splunk Ready
|
|
Caution: For the sake of speed, the Splunk forwarding component of InTrust uses the UDP protocol, so successful delivery of forwarded data is not guaranteed. |
You need to perform two procedures in Splunk (and maybe restart it), as described below.
Step 1: Define a Source Type
To make sure that event fields are recognized correctly, make a specialized source type for incoming InTrust data. If you want to use the Splunk UI for this, configure the options as follows (the last three options are set up in the Advanced group):
|
Option |
Value |
|---|---|
|
Category |
Structured |
|
Indexed extractions |
json |
|
NO_BINARY_CHECK |
true |
|
SHOULD_LINEMERGE |
false |
|
pulldown_type |
1 |
If you want to skip configuration through the Splunk UI, include the following snippet in the <Splunk_installation_folder>\etc\apps\search\local\props.conf file:
[InTrust]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
pulldown_type = 1
Step 2: Configure a Network Input
In Splunk, add a new UDP network input and apply your new source type to it. Configure the network input as necessary, but make sure you set up the following:
- It must use the UDP protocol.
- Specify the source type you defined earlier; in this example, it is InTrust.
Make a note of the port number where Splunk will listen for forwarded UDP traffic. You are going to need it for InTrust forwarding configuration.
If you want to skip configuration through the Splunk UI, include the following snippet in the <Splunk_installation_folder>\etc\apps\search\local\inputs.conf file:
[udp://514]
connection_host = ip
index = main
sourcetype = InTrust
For details about the various ways that you can add network inputs in Splunk, see the "Get data from TCP and UDP ports" article in the documentation of your version of Splunk.
Step 3 (Conditional): Restart Splunk
If you made your changes by editing configuration files, restart Splunk to apply them; use either the splunk stop and splunk start commands or the Restart action in the Splunk UI. For details, see the Splunk documentation.
Configure the Forwarding
To send data to Splunk, enable forwarding for the repository with the necessary data. Go to the properties of the repository and, on the Forwarding tab, select Enable forwarding and specify where the data should go.
Select Splunk (JSON) as the message format, and specify the correct Splunk host name and the UDP port where the forwarded data is expected.
After you have completed the collection setup, confirm that the forwarding is really working. Wait a few minutes for the new settings to take effect. After that, log on to some of the computers that InTrust is watching, and try to make Active Directory changes. Then open Splunk and check whether your activity has registered.