This quick start guide will help Accenture MDR customers configure Splunk® Enterprise™ for Windows® to send logs to the Log collection Platform (LCP).
...
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
Splunk Enterprise for Windows events | LCP | 514 (UDP) or 601 (TCP) | Default port |
Note: Please discuss with onboarding team if you have any technologies sending logs to LCP with same port and protocol
...
Table 1-2: The Splunk Enterprise for Windows event collector (Syslog - 3780) properties to be configured by MDR are shown in the table.
Property | Default Value | Description |
Protocol | TCP | Default protocol for syslog events. |
IP Address | Splunk Enterprise for Windows IP address | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture Security MDR onboarding team. |
Signature | LogName=Security, LogName=Application, LogName=System | MDR recommended signatures processed by the Splunk Enterprise for Windows event collector. |
Port Number | 601 | The default port for syslog. Note: Please discuss with onboarding team if you have any technologies sending logs to LCP with same port and protocol |
Sample Logs
Windows 2008
Jul 25 06:16:06 Test 07/25/2014 06:16:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4754 EventType=0 Type=
Information ComputerName=example.com TaskCategory=Security Group Management OpCode=Info RecordNumber=1901 Keywords=Audit Success Message=A security-enabled universal group was created.
Subject: Security ID: NT AUTHORITY\ANONYMOUS LOGON Account Name:ANONYMOUS LOGON Account Domain: TEST Logon ID: 0x3e6 Group:Security ID: SY\Enterprise Read-only Domain Controllers Group Name:
Enterprise Read-only Domain Controllers Group Domain: SY Attributes:SAM Account Name: Enterprise Read-only Domain Controllers SID History: -Additional Information: Privileges:
System Log
Oct 07 12:48:24 Test 10/07/2014 12:48:24 PM LogName=System SourceName=WinHttpAutoProxySvcEventCode=12503 EventType=4 Type=Information ComputerName=SYMANTEC-XITEST5
Category=0 CategoryString=none RecordNumber=89088 Message=The WinHTTPWeb Proxy Auto-Discovery Service has been idle for 15 minutes,it will be shut down.
Application Log
Jun 30 07:30:32 Test 06/30/2014 07:30:32 AM LogName=Application SourceName=ESENTEventCode=327 EventType=4 Type=Information ComputerName=WIN-LAGTESTN10J TaskCategory=General OpCode=Info
RecordNumber=396975Keywords=Classic Message=svchost(1444) The database engine detached a database(1, C:\Windows\system32\LogFiles\Sum\SystemIdentity.mdb).(Time=0 seconds) Internal Timing Sequence:
...