Accenture MDR Quick Start Guide for Splunk® Enterprise™ for Windows® Events

This quick start guide will help Accenture MDR customers configure Splunk® Enterprise™ for Windows® to send logs to the Log collection Platform (LCP).

The document includes the following topics:

 

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

Splunk Enterprise for Windows events

LCP

514 (UDP) or

601 (TCP)

Default port

Note: Please discuss with onboarding team if you have any technologies sending logs to LCP with same port and protocol

Configuring Splunk Enterprise for Windows Events

Note: 

  • Splunk Heavy Forwarder sends indexed events to the LCP using syslog protocol, which uses RFC 5424. Splunk provides the parameters to set the maximum size of an event that can be transmitted over syslog. This functionality has been introduced in version 6.2; therefore, Microsoft Windows via Splunk Enterprise Syslog event collector will not be supporting previous releases over syslog.

  • You need to configure Splunk Enterprise to send syslog messages to the LCP and also configure it to send only Windows-based logs to the LCP. Splunk indexes data from a number of different products, but Accenture Security MDR monitors only Windows events. So, the configuration should be such as to send only Windows container logs to the LCP. To accomplish this, a syslog output processor is required which is only a part of heavy forwarder (Splunk Enterprise).

  • The file path given in the configuration steps is same in both Windows and Linux platform. You need to navigate to the Splunk installation root folder to configure the above mentioned file. These files (output.conf, transform.conf, and props.conf) can also be present under a different location, such as …\etc\system\default\..., but for given configuration to work, the file under the “local” folder needs to be changed.

 To configure Splunk to send the output using syslog, follow the steps below.

  1. Navigate to the Splunk installation root folder: %Splunk_Installation_Path%\etc\system\local\outputs.conf. All the configuration changes must to be performed on the file in the local folder. 

  2. Edit the outputs.conf file and do one of the configuration steps:

If you do not have existing syslog configuration, add the following configuration under syslog.

[syslog]

defaultGroup = SymantecMSS

[syslog:SymantecMSS]

server = LCP_IP_Address:Port_Number

type = tcp

priority = 13

timestampformat =  %b %d %H:%M:%S

maxEventSize = 16384

Note:

Server: Add LCP IP address and Port number

Type: Default is udp for Splunk, but MDR recommends TCP.

Priority: 13 is default value for auditing. Collector doesn't support if this field is set to NO_PRI.  Refer the URL for reference:  http://docs.splunk.com/Documentation/ Splunk/6.2.2/Admin/Outputsconf). 

MaxEventSize: MDR recommended value. All events exceeding this size will be truncated.

If you have an existing syslog configuration, add the following configuration after the existing group. 

For example, you may have the existing group name as "Sync1" and the Symantec MDR specified group is "SymantecMSS". So the settings need to be explicit and independent as below.

[syslog]

defaultGroup = Sync1,SymantecMSS

[syslog:Sync1]

server = customer_defined_server

Attribute2…=

Attribute3…=

# This ends settings for Sync1. Add, MSS defined settings here:

[syslog:SymantecMSS]

server = LCP_IP_Address:Port_Number

type = tcp

priority = 13

timestampformat =  %b %d %H:%M:%S

maxEventSize = 16384

 

Note:

  • Server: Add LCP IP address and Port number

  • Type: Default is udp for Splunk, but MDR recommends TCP.

  • Priority: 13 is default value for auditing. Collector doesn't support if this field is set to NO_PRI.  Refer the URL for reference:  http://docs.splunk.com/Documentation/ Splunk/6.2.2/Admin/Outputsconf). 

  • MaxEventSize: MDR recommended value. All events exceeding this size will be truncated.

 To configure Splunk to route only Windows logs to the LCP and filter others, follow the steps below.

  1. Navigate to the Splunk installation root folder %Splunk_Installation_Path%\etc\system\local\props.conf. All the configuration changes must to be performed on the file in the local folder. 

2. Edit the props.conf file and add the below routing attribute at the bottom.

[source::WinEventLog:*]

TRANSFORMS-WinEventLog=SymantecMSSStanza - This can be any name.

3. Save and close the file.

4. Navigate to the Splunk installation root folder %Splunk_Installation_Path%\etc\system\local\transforms.conf. All the configuration changes must be performed on the file in the local folder.

5. Edit the transforms.conf file and add the below stanza at the bottom.

6. Edit $SPLUNK_HOME/etc/system/local/transforms.conf and set rules to match your props.conf stanza (i.e. SymantecMSSStanza):

[SymantecMSSStanza]

# This is stanza name which is defined in props.conf.

REGEX=.

DEST_KEY=_SYSLOG_ROUTING

FORMAT=SymantecMSS

# This is group name which defined in outputs.conf file

 

Note: All these file attributes are case-sensitive and has to be used as mentioned. Refer the following documentation for complete visibility on configuration: 

http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Outputsconfhttp://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Propsconf, and http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Transformsconf

 LCP Configuration Parameters

Table 1-2: The Splunk Enterprise for Windows event collector (Syslog - 3780) properties to be configured by MDR are shown in the table.

Property

Default Value

Description

Protocol

TCP

Default protocol for syslog events.

IP Address

Splunk Enterprise for Windows IP address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the Accenture Security MDR onboarding team.

Signature

LogName=Security,

LogName=Application,

LogName=System

MDR recommended signatures processed by the Splunk Enterprise for Windows event collector.

Port Number

601

The default port for syslog.

Note: Please discuss with onboarding team if you have any technologies sending logs to LCP with same port and protocol

 

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.