I have an environment where a Windows Server is located. I need to generate specific security events that will be sent to a Splunk instance, i.e. 6x Login Failed then Login Success - that is just one usecase.
Ideally, I would like to write a script which will periodically ( every hour let's say ) insert these custom fake events into eventlogs and therefore - they will be sent to my Splunk instance where it looks like that this has happened ( event in reality, it hasn't had happened, because there is no-one in that environment )
I know exactly what events I need, what I don't know how to automatically create them.
In order words - I need to generate fake Windows event data so it looks like they are from some real environment.
If somebody could point me to some article or draft how can I write that script - I suppose it should be easy script - or maybe use different approach I would be really grateful.
Take a look at this blog for writing to the event log. You will be able to create custom event from a custom source. But I don't think you can create fake events from source owned by the system, so you may need to configure Splunk to pick up the custom source.
New-EventLog –LogName system –Source "App1"
Write-EventLog -LogName "System" -Source "App1" -EventID 1234 -EntryType Error -Message "Some Error message"