topic Re: Splunk for Active Directory Dashboard Problem in All Apps and Add-ons

Splunk for Active Directory Dashboard Problem

jvargas80 — Mon, 28 Sep 2020 13:23:55 GMT

We are testing out the Active Directory for Splunk app and are running into one issue. We are getting data in from our DCs just fine and can query ldap and get results for our searches/dashboards except for one. Under the AD app and Security menu, we select User Logon Failures. Everything in the dashboard populates except for Failed Logons by IP Address. We get No matching events found. When we do an insect, we see the following message.

DEBUG: base lispy: [ AND host::sdcfisorl01 index::main source::wineventlog:security [ OR 4625 529 530 531 532 533 534 535 536 537 539 675 [ AND 4768 audit failure ] [ AND 4771 audit failure ] ] ]
DEBUG: search context: user="admin", app="Splunk_for_ActiveDirectory", bs-pathname="C:\Program Files\Splunk\etc"

We have taken the search (eventtype=msad-failed-user-logons (host="SDCFISORL01")|fields _time,signature,src_ip,src_host,src_nt_domain,user,Logon_Type) and entered it in a search box where we get results. We can't figure out why the dashboard is not showing any data.

Any thoughts?

Re: Splunk for Active Directory Dashboard Problem

ahall_splunk — Tue, 26 Feb 2013 17:29:48 GMT

There is a big long list there of event codes that your Active Directory systems should be generating. Take a look for eventtype=msad-failed-user-logons (which expands out to the big long list of event codes) to see if you are getting the data. It's probably not there.

My go to reason is that there is a mistake in the audit settings for the GPO that is applied to the domain controllers. Since you are getting successful events, then take a look at the Logon Audit and Account Logon Audit and ensure that both Success and Failure is checked.

Re: Splunk for Active Directory Dashboard Problem

jvargas80 — Mon, 28 Sep 2020 13:24:01 GMT

We are getting both Successes and Failures into Splunk and have confirmed that the GPO is setup correctly. I can see that the dashboard calls the sec_logon_fail.xml view and that specific dashboard report calls the following search.

Not sure how to turn this into a complete search that I can try in the Splunk search app.

Re: Splunk for Active Directory Dashboard Problem

jvargas80 — Mon, 28 Sep 2020 13:25:18 GMT

Okay it looks like my problem is the following. Some of the events do not include some of the extracted fields, like "src_ip" or "dest_nt_domain" do not exist for that event which the saved searches are using to do stats. It looks like I need to find a way to do a conditional stats. I've been looking at using the eval command like on this articlet...

| eval newfield=if(DNSNAME=="N/A",IP,DNSNAME) | stats count by newfield

http://splunk-base.splunk.com/answers/37007/conditional-field-choice

Re: Splunk for Active Directory Dashboard Problem

jvargas80 — Thu, 28 Feb 2013 20:44:38 GMT

The problem is that this will only work if the extracted field exists and has some value I can check. Anyone know how I can do conditional stats with extracted fields that may or may not be there?

Re: Splunk for Active Directory Dashboard Problem

mbalasko — Mon, 28 Sep 2020 13:45:07 GMT

I have this exact issue and if I replace dest_nt_domain with scr_nt_domain on 1.1.4 of the app it works. Help? Gonna open a ticket today.

Re: Splunk for Active Directory Dashboard Problem

rbw78 — Fri, 19 Jul 2013 11:03:20 GMT

I'm facing the same issue, some news about that ?

Re: Splunk for Active Directory Dashboard Problem

m_varenard — Wed, 06 May 2015 13:41:25 GMT

Same issue here, I found out that the field "src_ip" that the dashboard is using doen't exist in the events.
So obviously the dashboard can't display anything...

Any idea why this field doesn't exist on events ?