topic Re: Access model in the test AD environment in Security

test AD environment

stefani — Thu, 02 May 2024 09:04:22 GMT

I have the following environment: 1 HF -> 1 indexer -> 1 SH , code 9.1

How do I onboard the AD controller data into my HF ? I am using Add-on for Active Directory, any ldap commands? any recommendations ? is this the right tool ?

Re: Access model in the test AD environment

kprior201 — Tue, 30 Apr 2024 12:23:02 GMT

Hello!

1. You're on the right track. https://splunkbase.splunk.com/app/1151 is what you need to be using. The documentation for this add-on has information about how the ldapsearch part works. You can run ldapsearch commands via the command line of wherever this is configured. If you're wanting to import certain ldap data, you'll need to create scheduled searches (on the HFW) to pull that data into Splunk. Read through https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.8/User/AbouttheSplunkSupportingAdd-onforActiveDirectory to get a good background on how to do that.

2. Yes, this is possible. The easiest way to do this is probably just to separate the data into different indexes using the collect command. Whatever data you want user1 to have, run a query for that data and collect to a certain index. Whatever data you want user2 to have, run a separate query to collect to a different index. There are other ways to do this as well, but that's the simplest I could think of.

Re: test AD environment

stefani — Fri, 03 May 2024 08:31:07 GMT

One more thing, how do I get this query : "| ldapsearch search="(objectClass=group)" attrs="*"
| collect index=<ldapsearch> "in my SH ?

I am following the tutorial ?

The following steps are the same for saving new alerts or editing existing alerts.

From the Add Actions menu, select Log event.
Add the following event information to configure the alert action. Use plain text or tokens for search, job, or server metadata.
- Event text
- Source and sourcetype
- Host
- Destination index for the log event. The main index is the default destination. You can specify a different existing index.
  
  How do I configure the event text to get the data in the SH ? all I get is some event like : "
  5/3/24
  10:00:01.000 AM
  
  | ldapsearch search="(objectClass=group)" attrs="*" | collect index=<ldapsearch>
  host = SBOXAD01| SBOXAD02
  source = alert:
  sourcetype = AD"

Re: test AD environment

kprior201 — Fri, 03 May 2024 11:35:11 GMT

I'm not sure I fully understand what's going on here. When you run the

|ldapsearch search="(objectClass=group)" attrs="*" | collect index=<ldapsearch>

command on your forwarder, do you get results or an error message? If you get results, then you should be able to simply search against the index on your search head. If you don't get results, then there's something else going on: is the app configured correctly? is the query correct?

Re: test AD environment

stefani — Mon, 06 May 2024 08:43:56 GMT

if I run the command on my HF is fine, it works. I configured the AD plugin to send events to the indexer. But if I run it on my SH doesn't work. I guess the send event function is not configured properly, by that I mean this tutorial :

The following steps are the same for saving new alerts or editing existing alerts.

From the Add Actions menu, select Log event.
Add the following event information to configure the alert action. Use plain text or tokens for search, job, or server metadata.
- Event text
- Source and sourcetype
- Host
- Destination index for the log event. The main index is the default destination. You can specify a different existing index.

Re: test AD environment

kprior201 — Mon, 06 May 2024 19:36:56 GMT

It's possible that your SH isn't set up to reach your LDAP systems and that's why it's not returning results, but it's hard to say without more information. I'd recommend checking the logs for the add-on and seeing if you can find any errors or anything in there. You'll find these in $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log (Ref: https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.8/User/UseSA-ldapsearchtotroubleshootproblems)