HomeSupercharger KBGetting StartedInstall Supercharger with Splunk Free and the Splunk App for LOGbinder

2.9. Install Supercharger with Splunk Free and the Splunk App for LOGbinder

Note: Select a computer to run Supercharger and Splunk 

Installing and Configuring Supercharger

    Installing Supercharger

    Create Custom Log for Domain Controller Forwarded Events

    Create a Subscription to Forward Domain Controller logs

Preparing Active Directory

    Group Policy

         Add Collector as a Targeted Subscription Manager

         Configure Permissions for Security Log Access on Domain Controllers

         Audit Policy

    Active Directory Users and Computers

         Configure Object Level Audit Policy

Install Splunk Free

Install Splunk App for LOGbinder

Installing and Configuring Supercharger

Installing Supercharger

  1. Download Supercharger from LOGbinder.com.
  2. Run the installation file.
  3. Perform a default installation.
    1. For further information go to this Installing Supercharger KB article.
    2. The installer will install IIS if it is not installed and will reboot the server. The installation will resume upon login.
  4. Supercharger will automatically open the web browser upon completion of the installation.
    ***Please note that if your DC's are Win2008r2 then you will need to run "winrm qc" on each DC in an elevated cmd prompt.***

Create Custom Log for Domain Controller Forwarded Events

  1. Click on your collector in the dashboard.

     

  2. Click on the "Subscriptions and Logs" tab and then on the "Create Event Log" button.
     
  3. Configure the new event log and click "Submit".
    1. The log must be named ADChanges
    2. The log path can be customized
    3. The maximum log size can be customized but must be at least 511,967,232 bytes.

 

Create a Subscription to Forward Domain Controller logs

  1. On the "Subscriptions and Logs" tab click on the "Create Subscription" button.

     

  2. On the “Create Subscription” screen enter a name and description. Select the previously created log, “Supercharger-Destination-ADChanges/Log”. Select “Builtin Deterministic 100% for High Value Servers” from the “Subscription Policy” dropdown.
     
  3. Click on the “Add forwarder” button and then search for “domain controllers”. Select “Domain Controllers” in the “Results” window and then click “OK”.

     

  4. For "Subscription Filter" select "Builtin – Security: Active Directory Changes” from the dropdown then click “Submit”.

      

Preparing Active Directory

Group Policy

    Add Collector as a Targeted Subscription Manager

  1. Connect to the Domain Controller.
  2. Right click on “Start” then run and run “gpmc.msc”.

  3. Expand the "Domain Controllers” OU and right click on "Default Domain Controllers Policy" and select “Edit"

  4. In Group Policy Management Editor, navigate to the following location: Default Domain Policy\Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding

  5. Double click on “Configure target Subscription Manager” on the right.

     

  6. Select “Enabled” and then click the “Show” button.

     

  7. Add the collector to the “SubscriptionManagers” list. This string can be found in Supercharger by clicking on "Quick Start" then expanding the "Configure potential source computers with Group Policy" section. Under #2 you will the collector strings syntax.  Copy and paste this string.  Do not copy the bullet point.  Use the following syntax:
    Server=http://<FQDN of the collector>:5985/wsman/SubscriptionManager/WEC,Refresh=900 where FQDN equals the  “servername.domain.abc”.

  

Configure Permissions for Security Log Access on Domain Controllers 

  1. Connect to the Domain Controller.
  2. Right click on “Start” then run and run “gpmc.msc”.

  3. Expand the "Domain Controllers” OU and right click on "Default Domain Controllers Policy" and select “Edit"

  4. Perform one of the two steps from this KB article: Granting Permissions for Security Log Forwarding

Audit Policy

  1. Connect to the Domain Controller.
  2. Right click on “Start” then run and run “gpmc.msc”.

  3. Expand the "Domain Controllers” OU and right click on "Default Domain Controllers Policy" and select “Edit"

  4. Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options and in the list of options in the right window click on "Audit: Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.”
  5. Set this setting to "Enabled" and click "Apply
  6. Next, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies.
  7. Select the following policies and enable "Success"
    1. Account Management
      1. Audit Other Account Management Events
      2. Audit Security Group Management 
      3. Audit User Account Management
    2. DS Access
      1. Audit Directory Service Changes
      2. Audit Directory Service Replication
    3. Policy Change
      1. Audit Audit Policy Change
      2. Audit Authentication Policy Change
      3. Audit Authorization Policy Change
      4. Audit Other Policy Change Events
    4. System
      1. Audit Security System Extension

Active Directory Users and Computers

Configure Object Level Audit Policy

  1. On the Domain Controller open "Active Directory Users and Computers.
  2. Right click on root of the domain and select "Properties".
  3. Select the Security tab and click on "Advanced".
  4. Select the Auditing tab and click "Add".
  5. Set Principal to "Everyone".  Leave Type as "Success" and Applies to "This object and all descendant objects".
  6. Scroll to the bottom of the list and click on "Clear All".  Scroll back to the top and select the following options:
    Permissions\Modify Permissions
    Properties\Write gPLink
    Properties\Write gPOtions
  7. Click "OK" and then click "Add" again.
  8. For this second entry set Principal to "Everyone". Leave Type as "Success". Set "Applies to: Descendant groupPolicyContainer objects".

  9. Scroll to the bottom of the list and click on "Clear All".  Scroll back to the top and select the following options:
    Permissions\Write all properties
    Permissions\Modify Permissions​

Install Splunk Free

  1. Download Splunk Enterprise from splunk.com
  2. Run the installation file.
  3. Perform a default installation.
  4. Login to Splunk and change the default admin password.
  5. When the Splunk Enterprise license expires, the license will convert to a perpetual free license.  You can also change this now by clicking on Settings then Licensing and changing the license group to Free.

Install Splunk App for LOGbinder

  1. Go to LOGbinder.com and click on the “Resources” tab and look in the “SIEM Integration Resources” section for the “Splunk App for LOGbinder”. Download, extract and save the file.
  2. Login to Splunk and click the Gear Icon  next to Apps.
  3. Click on the “Install app from file”  button.

     

  4. Browse to the file you saved in step 1 and then click the green “Upload” button.

Tips

Supercharger

1. Dashboards should begin to populate with data within 15 minutes usually.
2. Check Windows Event Collection
     a. In Supercharger check the subscription.  If it's yellow or red click on the subscription for an explanation.
     b. After the Domain Controllers apply the updated Group Policy, the subscription should eventually go green.
     c. Shortly thereafter, events will begin to show up in the ADChanges log in Event Viewer.
     d. Remember that Domain Controller replication, application of Group Policy, Refresh Interval and Subscription settings can all introduce some initial latency.
3. This article provides extensive steps to troubleshoot problem forwarders.
4. To speed up the sending of events:
     a. In Supercharger edit the Default Subscription Policy (Under Settings\Subscription Policies) and change the Configuration Mode setting to "MinLatency".
     b. Also click on the Collector and run the "Collector Analysis" command.
     c. Another option is to run gpupdate and restart the WinRM service.

Splunk

We are assuming that the Active Directory data will be either in the index=main (the defualt) or index=wineventlog (used by the Splunk for LOGbinder App). The second assumption is that the sourcetype will be WinEventLog:Security. So be sure to either set those when setting up new inputs or to change the props.conf and macros to accommodate the different values.

If the Active Directory dashboards are not populating you may wan to check the following:

1. Check which index the events are sending as by running this search:

index=* source="WinEventLog:Supercharger-Destination-ADChanges/Log" | stats count by index

The app expects the data to be in one of these indexes: index=wineventlog OR index=main. If it is indexed in some other index, then it can be added to this macro: select_winseclog_events

2. Check if the sourcetype is changed to WinEventLog:Security by running this search:

index=* source="WinEventLog:Supercharger-Destination-ADChanges/Log" | stats count by sourcetype

If that is not the case then props.conf should be copied to %SPLUNK_HOME%/etc/apps/logbinder/local and this should be added to it:

[source::WinEventLog:Supercharger-Destination-ADChanges/Log]
TRANSFORMS-change_host = WinEventHostOverride
EXTRACT-TargetAccountDomain = (?ms)^(New Logon|New Account|Target Account|Account Whose Credentials Were Used|Account For Which Logon Failed|Account That Was Locked Out):.+?(Account Domain|Old Account Domain):\s+(?<TargetAccountDomain>[^\v]+)
EXTRACT-ObjectDN = (?ms)^Object:.+?DN:\s+(?<ObjectDN>[^\v]+)$
EXTRACT-ObjectGUID = (?ms)^Object:.+?GUID:\s+(?<ObjectGUID>[^\v]+)$
EXTRACT-ObjectClass = (?ms)^Object:.+?Class:\s+(?<ObjectClass>[^\v]+)$
EXTRACT-DirectoryServiceName = (?ms)^Directory Service:.+?Name:\s+(?<DirectoryServiceName>[^\v]+)$
EXTRACT-DirectoryServiceType = (?ms)^Directory Service:.+?Type:\s+(?<DirectoryServiceType>[^\v]+)$
EXTRACT-MemberAccountName = (?ms)^Member:.*?Account Name:\s+(?<MemberAccountName>[^\v]+)
EXTRACT-SourceAccountName = (?ms)^Source Account:.+?Account Name:\s+(?<SourceAccountName>[^\v]+)EXTRACT-SubjectAccountName = (?ms)^Subject:.+?Account Name:\s+(?<SubjectAccountName>[^\v]+)
EXTRACT-TargetAccountName = (?ms)^(New Logon|New Account|Target Account|Account Whose Credentials Were Used|Account For Which Logon Failed|Account That Was Locked Out):.+?(Account Name|Old Account Name):\s+(?<TargetAccountName>[^\v]+)
EXTRACT-ChangedAttributes = (?ms)^Changed Attributes:(?<ChangedAttributes>.*)Additional Information:
EXTRACT-MemberSecurityID = (?ms)^Member:.*Security ID:\s+(?<MemberSecurityID>[^\v]+)
EXTRACT-NewTargetAccount = (?ms)^Target Account:.+?New Account Name:\s+(?<NewTargetAccount>[^\v]+)
EXTRACT-SubjectAccountDomain = (?ms)^Subject:.+?Account Domain:\s+(?<SubjectAccountDomain>[^\v]+)
EXTRACT-SubjectLogonGUID = (?ms)^Subject:.+?Logon GUID:\s+(?<SubjectLogonGUID>[^\v]+)
EXTRACT-SubjectLogonID = (?ms)^Subject:.+?Logon ID:\s+(?<SubjectLogonID>[^\v]+)
EXTRACT-SubjectSecurityID = (?ms)^Subject:.+?Security ID:\s+(?<SubjectSecurityID>[^\v]+)
EXTRACT-TargetLogonGUID = (?ms)^(New Logon|New Account|Target Account|Account Whose Credentials Were Used|Account For Which Logon Failed|Account That Was Locked Out):.+?Logon GUID:\s+(?<TargetLogonGUID>[^\v]+)
EXTRACT-TargetLogonID = (?ms)^(New Logon|New Account|Target Account|Account Whose Credentials Were Used|Account For Which Logon Failed|Account That Was Locked Out):.+?Logon ID:\s+(?<TargetLogonID>[^\v]+)
EXTRACT-TargetSecurityID = (?ms)^(New Logon|New Account|Target Account|Account Whose Credentials Were Used|Account For Which Logon Failed|Account That Was Locked Out):.+?Security ID:\s+(?<TargetSecurityID>[^\v]+)
EXTRACT-AttributeLDAPDisplayName = (?ms)^Attribute:.+?LDAP\sDisplay\sName:\s+(?<AttributeLDAPDisplayName>[^\v]+)$

This page was: Helpful | Not Helpful
Granting Permissions for Security Log Forwarding