To setup, please follow the next steps:
Universal Forwarder Configuration
On Mi-Token Server
Installation
- 1. Install Universal Forwarder
- 2. Set Deployment Server IP as local IP and port as 8089 (Retrieves data for Forwarder)
- 3. Set Receiving Indexer IP as Splunk Server IP and port as 9997 (Sends logs to Indexer)
- 4. Install Splunk Add-on for Microsoft Windows on Splunk Server
Adding Event Logs
- 1. Edit Inputs Config
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs
Add Mi-Token Event Log:
[WinEventLog://MiToken] (Needs to be full name of the log)
disabled = 0
- 2. Restart Splunk in Services and Splunk Server
On Splunk Website
http://<splunk-server-ip>:8000/
- 1. Add Regex codes for Custom Data Type Search
Regex:
Settings>fields>field extractions>open field extractor
Data Type: source type
Source Type: Uncategorized > WinEventLog:MiToken
Select “I prefer to write the regular expression myself”
Insert Regex codes and save separately.
Message: [^:\n]*:\s+(?P<Message>.+)
Username: for (?P<Username>[^ ]+)
Result: was (?P<result>[^:]+)
Needs Verbose Mode Enabled, new fields will be under interesting fields.
Might need a Splunk restart/debug.
Restart: Settings> System> Server Controls
Debug: http://<splunk-server-ip>:8000/en-US/debug/refresh
To enable/disable fields, select a field and click selected yes/no.
*Note: please contact an Splunk expert if have troubles, We suggest having a specialist well-versed in Splunk carry out the configuration process. The details we have provided originate from Splunk's own documentation that was shared with us previously. Mi-Token's role is simply enabling the Event Log - the comprehensive Splunk configuration should be handled by an expert on their platform.