Latest Updates


User Logon Alert

Our goal in here is to create an Alert when an un-authorized user tries to login. This will generate Alert in splunk if someone with wrong credentials tries to login into your windows PC.

Procedure :
  • We are going to install splunk universal forwarder (package) into remote windows PC (PC1)
  • Collect windows event logs on PC1
  • Forward those Logs from PC1 to PC2, where we are going to index the data on Splunk Indexer
  • And in PC2 Splunk instance we are going to create Alert
Configuring Splunk Universal Forwarder:-

Host Name: ACi25N
To collect Windows Events Logs, add below inputs.conf file into Universal Forwarder (PC1) or just create one with following stanza.
(Path :-  $Splunk_Directory$\Splunk\etc\system\local)

Now, to forward this data to PC2 add or create outputs.conf into Universal Forwarder (PC1) with following Stanza.
(Path: - $Splunk_Directory$\Splunk\etc\system\local)

Configuring Splunk Indexer:-

Host Name: ACI3NEWP         
To receive data coming from Forwarder add or create inputs.conf into Splunk Indexer with following Stanza.
(Path:-  $Splunk_Directory$\Splunk\etc\system\local)

Open Splunk Indexer instance to check whether data is actually being indexed into indexer or not.
Query: index=”wineventlog”

Now create lookup file with Fields Host_Name and User_Name which only have values of PC1 and PC2.
A lookup file with user’s details authorized to use respective host
Query: |inputlookup logon

Now run following query on which we are going to create alert:
Index="wineventlog"Account_Name!=”$”|eval temp=mvindex(Account_Name,-1)|lookup logon Host_Name as ComputerName|eval Status=if(temp=User_Name,”1”,”0”)|table ComputerName temp User_Name Status

Saved the result as Alert

 If you are still facing issue regarding this topic Feel free to Ask Doubts in the Comment Box Below and Don't Forget to Follow us on 👍 Social Networks, happy Splunking >😉
User Logon Alert Reviewed by Avotrix.Author on Thursday, January 24, 2019 Rating: 5

No comments:

All Rights Reserved by Avotrix © 2018 - 2019
Developed and created by Avotrix

Contact Form


Email *

Message *

Powered by Blogger.