windows eventlogs filtering

using eventlog forwarding\subscriptions to pass event to central monitoring server
which then is indexed by splunk.
(this saves having to put out universal forwarders or other things on our Domain Controllers)

so AD is tracking changes with eventlogs 5136
it also tracks changes like dnsnode updates etc.
as we only want the user object changes (at the moment)
and exclude certain eventdata

Using a custom view to pull the 5136 events from remove domain controllers

 <querylist>
 <query Id="0" Path="Security">
   <select Path="Security">
          *[System[(EventID=5136)]] and *[EventData[Data[@Name='ObjectClass'] and (Data='user')]]
     </Select>
      <suppress Path="Security">
       *[EventData[Data[@Name='AttributeLDAPDisplayName'] and (Data='userCertificate')]]
     </Suppress>
  </Query>
</QueryList>

was getting locale errors with eventlogs so had to set system language to english(united states)


good link for info about Auditing AD:
http://blogs.technet.com/b/askpfeplat/archive/2012/04/22/who-moved-the-ad-cheese.aspx

Splunk AD Filtering

...\splunk\etc\system\local

## props.conf

[WMI:WinEventLog:Security]

TRANSFORMS-evtlog = wmi-null,wmi-filter,wmi-filter28user,wmi-filter28SecGrp,wmi-filter28DlGrp

## transforms.conf

[wmi-null]

REGEX = .

DEST_KEY = queue

FORMAT = nullQueue

[wmi-filter]

REGEX=(?msi)^(CategoryString=Account Management)

DEST_KEY = queue

FORMAT = indexQueue

[wmi-filter28user]

REGEX=(?msi)^(CategoryString=User Account Management)

DEST_KEY = queue

FORMAT = indexQueue

[wmi-filter28SecGrp]

REGEX=(?msi)^(CategoryString=Security Group Management)

DEST_KEY = queue

FORMAT = indexQueue

[wmi-filter28DlGrp]

REGEX=(?msi)^(CategoryString=Distribution Group Management)

DEST_KEY = queue

FORMAT = indexQueue