Monitoring Windows Event Logs in Splunk
By: Karl Cepull | Senior Director, Operational Intelligence
Splunk is a widely accepted tool for log aggregation and analysis in both security and IT Ops use cases. Splunk’s add-ons for Microsoft Windows, including Exchange and Active Directory, rely on Windows Event Logs being available and a forwarder used to send those logs into Splunk. Windows logs provide a wealth of information with every action taken. The problem is the volume of information available means ingesting a large amount of non-relevant data into Splunk. Looking at a couple of general use cases, here is a list of Windows Event IDs to add when looking for specific information.
Use Case 1: Security
Windows Security can include several of the other use cases listed below. These are Event IDs that indicate suspicious or unusual activity.
| EventID | Priority | Description | Sub-Codes |
| 1102 | High | The audit log was cleared. Probably want to investigate why. | |
| 4767 | High | Account Unlocked | |
| 4740 | High | Account Locked Out | |
| 4771 | High | Kerberos pre-authentication failed | |
| 4772 | High | A Kerberos authentication ticket request failed | |
| 4820 | High | Kerberos Ticket-Granting-Ticket was denied because the device does not meet the access control restrictions. | 0x12 (account disabled), 0x18 (bad password), 0x6 (bad username) |
| 4625 | High | Logon Failure. Sub-codes begin with 0xC00000. | 64 (user doesn’t exist), 6A (bad password), 234 (user currently locked out), 72 (account disabled), 6F (logon outside of permitted times), 193 (account expiration) |
| 4719 | Medium | System audit policy was changed. | |
| 4728 | Medium | A user was added to a privileged global group | |
| 4732 | High | A user was added to a privileged local group | |
| 4756 | High | A user was added to a privileged universal group | |
| 4782 | High | Password hash an account was accessed |
Use Case 2: IT Operations
While there are several different Event IDs to monitor for all aspects of IT Operations, a few important ones are listed here. These are events a system administration should pay special attention to.
| EventID | Priority | Description |
| 1101 | Medium | Audit events have been dropped by transport. Possibly dirty shutdown. |
| 1104 | High | The security log is now full. There will be holes in your logs if not fixed. |
| 4616 | High | System time was changed. |
| 4657 | High | A registry value was changed. |
| 4697 | Medium | An attempt was made to install a service. |
Use Case 3: Monitor User Accounts
A typical user may appear in Windows logs for logging on and off a system. Other user account events should not appear regularly for any one user. Without a larger planned event, where planned account activity is occurring, most of these Event IDs should remain low. Log-on and log-off events are listed here as low priority. Others are higher.
| EventID | Priority | Description |
| 4720 | High | User account created |
| 4723 | Medium | User changed own password |
| 4724 | Medium | Privileged user changed their password |
| 4725 | High | Account disabled |
| 4738 | High | Account changed |
| 4726 | High | Account deleted |
| 4781 | Medium | Account name changed |
| 4624 | Low | Successful logon |
| 4647 | Low | User-initiated logoff |
Use Case 4: Scheduled Tasks
In a recent security scare, the threat was seen creating scheduled tasks to perform actions that compromised data security. Like all other actions, scheduled tasks are logged in Windows Events, and can be added to Splunk.
| EventID | Priority | Description |
| 4698 | Medium | A scheduled task was created |
| 4699 | Medium | A scheduled task was deleted |
| 4700 | Medium | A scheduled task was enabled |
| 4701 | Medium | A scheduled task was disabled |
| 4702 | Medium | A scheduled task was updated |
Use Case 5: Windows Firewall
Windows has a built-in firewall. While this may be disabled by system administrators, environments where the firewall is active can use the event logs to monitor for suspicious activity. Unexpected and unauthorized rules and policies changes are strong indicators of threat, along with unapproved stopping of firewall services.
| EventID | Priority | Description |
| 4946 | High | A rule was added to the Windows Firewall exception list |
| 4947 | High | A rule was modified in the Windows Firewall exception list |
| 4950 | Medium | A setting was changed in Windows Firewall |
| 4954 | Medium | Group Policy settings for Windows Firewall was changed |
| 5025 | High | The Windows Firewall service was stopped |
| 5031 | High | Windows Firewall blocked an application from accepting incoming traffic |
Use Case 6: Windows Filtering Platform
Windows Filtering Platform is a set of API and system services that provide a platform for creating network filtering applications. It’s important to keep an eye on these events to make sure any unexpected or unapproved actions are captured.
| EventID | Priority | Description |
| 5146 | High | The Windows Filtering Platform has blocked a packet. |
| 5147 | High | A more restrictive Windows Filtering Platform filter has blocked a packet. |
| 5148 | High | The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. |
| 5149 | High | The DoS attack has subsided and normal processing is being resumed. |
| 5150 | High | The Windows Filtering Platform has blocked a packet. |
| 5151 | High | A more restrictive Windows Filtering Platform filter has blocked a packet. |
| 5152 | High | The Windows Filtering Platform blocked a packet. |
| 5153 | High | A more restrictive Windows Filtering Platform filter has blocked a packet. |
| 5154 | Medium | The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. |
| 5155 | High | The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. |
| 5156 | Medium | The Windows Filtering Platform has allowed a connection. |
| 5157 | High | The Windows Filtering Platform has blocked a connection. |
| 5158 | Medium | The Windows Filtering Platform has permitted a bind to a local port. |
| 5159 | Medium | The Windows Filtering Platform has blocked a bind to a local port. |
| 5447 | High | A Windows Filtering Platform filter was changed. |
This is not an exhaustive list of Windows Event Codes, nor is it a complete list for each use case. It’s a starting point for observation and can help to limit the number of events ingested by Splunk from Windows. Start by allowing the Event IDs listed above. As specific use cases develop, a deeper exploration of other Event IDs can help expand Splunk’s scope and effectiveness.
Adding Event IDs to Splunk
The easiest way to monitor Windows Event Logs in Splunk is to use the Splunk Add-On for Microsoft Windows. After installing the app, create a folder named “local” inside the app. Then, copy inputs.conf from the app’s “Default” folder and paste it in the local folder. Within each of the input stanzas, an allowed list can be added based on the pre-defined categories within the add-on.
[WinEventLog://Application]
| [WinEventLog://Security]
| [WinEventLog://System]
|
Based on the use cases above, add the setting “whitelist=” to the stanza, followed by a comma-separated list of Event IDs. For example, to monitor “System,” use the IT Ops Event IDs. The stanza would then look like this:
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml = true
whitelist = 1101, 1104, 4616, 4657, 4697
The same can be done with the other input stanzas for more comprehensive coverage of Windows Event Logs.
Contact us for more tips and tricks on monitoring Windows Event Logs with Splunk!