topic Re: Splunk App Active Directory - 2008 R2, Advanced Audit Policy in All Apps and Add-ons

Splunk App Active Directory - 2008 R2, Advanced Audit Policy

boeing_smithbj — Thu, 15 Aug 2013 15:31:22 GMT

I've got a default setup of Splunk (v 5.0.3) with the following:
Active Directory App. (1.2.1)
Sideview Utils (2.6.3)
SA-ldapsearch (1.1.9)
TA for Windows (4.6.3)
Universal Forwarder (5.0.3)

Everything appears to be working correctly - I am seeing log data sent to the indexer from two active directory/dns servers and I can pull up data on all of the menus within the app (security, change management, health, etc.) however... I am having problems finding specific events. I don't know if this is related to how we have our audit policies setup (Advanced Audit Policy, 2008 R2 domain) but suspect it is related.

Specifically, I am not seeing failed login attempts to the domain when a user is mistyping their passwords on a client workstation. I am seeing this type of event when an admin attempts a remote desktop to one of the Domain Controllers and fails.

Also, (most likely related to above) I am trying to use the "User Utilization" menu option and filter for a specific time period, but again, I am only seeing events showing up from users connecting directly to a DC (Admin/remote desktop) and not the client connections.

Any ideas here? Thanks in advance!

Re: Splunk App Active Directory - 2008 R2, Advanced Audit Policy

boeing_smithbj — Thu, 15 Aug 2013 17:08:46 GMT

Follow-up:

Suspecting an auditing issue on the DCs, I did some testing.

Logged off with my user account.

Tried to login with a bad username (TESTFAIL)

Tried to login with a good username and a BAD password

Logged in successfully

On the client device I see all the auditing correctly, 4634 for the logoff and 4625s for the failed login attempts. I then check the (2) Domain Controllers to see if I can find corresponding events, I looked by type and just at the general time in which I did this test, and I am not seeing anything.

Why aren't these audits captured on the DCs?

Re: Splunk App Active Directory - 2008 R2, Advanced Audit Policy

boeing_smithbj — Thu, 15 Aug 2013 20:26:58 GMT

Figured this out...

Basically, if you are using the Advanced Audit Configuration settings, you have to enable "Audit Kerberos Authentication Service" under Advanced Audit Configuration > Account Logon.

With this auditing enabled the Splunk App for Active Directory will begin picking up the following eventIDs from the Domain Controllers:

4768 – A Kerberos authentication ticket (TGT) was requested – In my test this was a BAD/UNKNOWN username

4771 – Kerberos pre-authentication failed – In my test this was a good username and BAD password