Our goal here is to create an Alert when an unauthorized user tries to log in. This will generate a user logon alert in Splunk if someone with the wrong credentials tries to login into your windows PC.

Procedure :

  • We are going to install Splunk universal forwarder (package) into remote windows PC (PC1)
  • Collect windows event logs on PC1
  • Forward those Logs from PC1 to PC2, where we are going to index the data on Splunk Indexer
  • And in PC2 Splunk instance we are going to create Alert

Configuring Splunk Universal Forwarder:-

Host Name: ACi25N
To collect Windows Events Logs, add the below inputs.conf file into Universal Forwarder (PC1) or just create one with the following stanza.
(Path :-  $Splunk_Directory$Splunketcsystemlocal)

Now, to forward this data to PC2 add or create outputs.conf into Universal Forwarder (PC1) with the following Stanza.
(Path: – $Splunk_Directory$Splunketcsystemlocal)

Configuring Splunk Indexer:-

Host Name: ACI3NEWP         
To receive data coming from Forwarder add or create inputs.conf into Splunk Indexer with the following Stanza.
(Path:-  $Splunk_Directory$Splunketcsystemlocal)

Open Splunk Indexer instance to check whether data is actually being indexed into indexer or not.
Query: index=”wineventlog”

Now create a lookup file with Fields Host_Name and User_Name which only have values of PC1 and PC2.
A lookup file with user’s details authorized to use respective host
Query: |inputlookup logon

Now run following query on which we are going to create alert:
Index=”wineventlog”Account_Name!=”$”|eval temp=mvindex(Account_Name,-1)|lookup logon Host_Name as ComputerName|eval Status=if(temp=User_Name,”1”,”0”)|table ComputerName temp User_Name Status

Saved the result as Alert

 If you are still facing issue regarding user logon alert Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on 👍 Social Networks, happy Splunking >😉