Anthony Reinke » event http://www.anthonyreinke.com Rambling Thoughts of a Random Mind Wed, 01 Feb 2012 22:03:42 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 Another good report http://www.anthonyreinke.com/2010/03/24/another-good-report/ http://www.anthonyreinke.com/2010/03/24/another-good-report/#comments Wed, 24 Mar 2010 14:54:34 +0000 Anthony Reinke http://www.anthonyreinke.com/?p=239 This will help to track down failed logins.  This could be due to someone changing their password and still are logged in to a server with the old account information.  The other side is that someone could be trying to brute force an account.

Type=”Failure Audit” sourcetype=”WinEventLog:Security” | chart count by User_Name | sort – count

]]> http://www.anthonyreinke.com/2010/03/24/another-good-report/feed/ 0 Daily Splunk Reports http://www.anthonyreinke.com/2010/03/24/daily-splunk-reports/ http://www.anthonyreinke.com/2010/03/24/daily-splunk-reports/#comments Wed, 24 Mar 2010 13:45:14 +0000 Anthony Reinke http://www.anthonyreinke.com/?p=237 So I am a full convert and profit of Splunk now.  I have been using it at work for around 4 months now.  I have rolled it out to our domain controllers and have started rolling it to all our Windows and *nix servers.  The ability to find out who did what has made my job so much easier.  There was an incident where an OU was deleted in our AD.  I was able to see exactly who and when did it.  Normally this type of searching wasn’t possible or at least hard to get due to the size of our infrastructure.  Our Event Logs roll over around once an hour.  The OU was deleted 8 hours before we were contacted.

Here is a few of the reports I have scheduled to get every morning to take a look at what has happened in my environment.

User Accounts deleted:

EventCode=”630″ | fields Caller_User_Name, Target_Domain,  Target_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Deleted_Account | rename host as DomainController | rename Target_Domain as Users_Domain

User Accounts created:

EventCode=”624″ | fields Caller_User_Name, New_Domain, New_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Modified_Account | rename host as DomainController | rename New_Domain as New_Account_Domain

Computer Accounts deleted:

EventCode=”647″ | fields Caller_User_Name, Target_Domain, Target_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Deleted_Computer | rename host as DomainController | rename Target_Domain as Removed_Domain

Computer Accounts created:

EventCode=”645″ | fields Caller_User_Name, New_Domain, New_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename New_Account_Name as New_Computer | rename host as DomainController | rename New_Domain as Joined_Domain

]]> http://www.anthonyreinke.com/2010/03/24/daily-splunk-reports/feed/ 0 OSSEC and Splunk http://www.anthonyreinke.com/2009/07/27/ossec-and-splunk/ http://www.anthonyreinke.com/2009/07/27/ossec-and-splunk/#comments Tue, 28 Jul 2009 01:55:54 +0000 Anthony Reinke http://www.anthonyreinke.com/?p=66 I have been playing with OSSEC and Splunk.  OSSEC is a Host based Intrusion Detection System (HIDS).  Splunk is a log archiving and searching system.  OSSEC is open source and is multiple platform.  You can run it on Linux/Unix and Windows.  I am using OSSEC to forward Windows Event Logs to Splunk.  Splunk makes the searching and correlation.  Splunk can do WMI.  This would be great since no agent would need to be installed.  The problems is that if you have more than 30-50 systems, the amount time and traffic would cause issues.  Using the OSSEC agent, I am able to push the event logs to the OSSEC server.  From there the OSSEC server will upload to the Splunk server via Syslog.

Right now I have the servers all talking but I do need to adjust a few things.  Right now Splunk sees all the hosts as the OSSEC server.  I believe I just need to tweak the fields.  The question is how.

Splunk
http://www.splunk.com

OSSEC
http://www.ossec.net

]]> http://www.anthonyreinke.com/2009/07/27/ossec-and-splunk/feed/ 1