Splunk Universal Forwarder, installed simply as Universal Forwarder, provides reliable, secure data collection from remote sources and forwards that data into Splunk software for indexing and consolidation. The self-service install available in Carleton's K1000 installs the Universal Forwarder and is preconfigured to collect only a few key channels of information for ITS's security team to monitor for major security breaches.
Windows 10 64-bit
Splunk Universal Forwarder is freely available from Splunk's website.
College Owned Equipment
Installing Software from the KBOX
Windows package name: Windows: Splunk Universal Forwarder 6.6.3 (2017.10.17)
Frequently Asked Questions
Q: What is Splunk?
A: Splunk is a service that allows us to pool information from user computers, servers, services, and network appliances in a central spot, to aid us in performing various kinds of audits and analyses, primarily security-related. It will give us some early indications of account and machine compromise.
Q: What *exactly* are you logging?
A: We are logging Windows Security Log event codes 106, 500, 517, 567, 601, 602, 1102, 2004, 4657, 4697, 4698, 7045 plus one system log code, 104. These codes reflect actions attackers typically take, things like adding new services or firewall rules, wiping out restore points, and clearing event logs (to cover their tracks). Just a dozen or so codes and associated text, plus some associated PowerShell logging. That's it.
Q: Why log? Isn't antivirus software enough?
A: To a large extent old-style antivirus software, and so-called signature and single-machine behavioral analysis, is obsolete. To detect compromise, we need to pool data across a variety of sources in one place. And we need logging, both to perform forensics when our defenses fail (as they inevitably will from time to time), and to put historical data where the malware can't get at it and erase it.
Who To Call
Contact Desktop Systems if you find issues with the installer in the K1000.