Collecting Windows events that are forwarded from Splunk

To collect events, you can configure your Windows end points to forward events to your QRadar Console and your Splunk indexer.

Forwarding Windows events from aggregation nodes in your Splunk deployment is not recommended. Use Splunk forwarder to send Windows event data to IBM QRadar. Splunk indexers that forward events from multiple Windows end points to QRadar can obscure the true source of the events with the IP address of the Splunk indexer. To prevent a situation where an incorrect IP address association might occur in the log source, you can update your Windows end-point systems to forward to both the indexer and your QRadar Console.

Splunk events are parsed by using the Microsoft Windows Security Event Log DSM with the TCP multiline syslog protocol. The regular expression that is configured in the protocol defines where a Splunk event starts or ends in the event payload. The event pattern allows QRadar to assemble the raw Windows event payload as a single-line event that is readable by QRadar. The regular expression that is required to collect Windows events is outlined in the log source configuration.

To configure event collection for Splunk syslog events, you must complete the following tasks:

  1. On your QRadar appliance, configure a log source to use the Microsoft Windows Security Event Log DSM.
    Note: You must configure 1 log source for Splunk events. QRadar can use the first log source to autodiscover more Windows end points.
  2. On your Splunk appliance, configure each Splunk Forwarder on the Windows instance to send Windows event data to your QRadar Console or Event Collector.

    To configure a Splunk Forwarder, you must edit the props.conf, transforms.conf, and output.conf configuration files. For more information on event forwarding, see your Splunk documentation.

  3. Ensure that no firewall rules block communication between your Splunk appliance and the QRadar Console or managed host that is responsible for retrieving events.
  4. On your QRadar appliance, verify the Log Activity tab to ensure that the Splunk events are forwarded to QRadar.