This article provides guidance on commonly filtered event types used for security auditing purposes, such as user logins, authentication failures, system reboots, configuration changes, and other security-related activities.
For sending security related events to a SIEM solution like SPLUNK use text filters in addition to the appname filter.
Use the "Text" and "Matches" filters within your Log Forwarding destination configuration.
It is important to note that the log forwarding engine requires explicit wildcards to match strings correctly.
Please follow these steps to configure your filters:
This list will cover all the security specific logs but must be entered manually:
*password was changed*
*logged out*
*cannot login*
*logged in*
*rejected password for user*
*Permission rule removed*
*DCUI has been enabled*
*Firewall configuration has changed*
*Permission created*