https://community.splunk.com/t5/Getting-Data-In/How-to-get-Windows-domain-log-in-data/m-p/128813#M26441 <P>You don't need the active directory app to monitor user authentication by the domain controllers, but you do need the windows security log on the domain controllers. WMI can work, but WMI is not as reliable as ChrisG mentioned. <BR /> Also, monitoring only domain controllers will not show you local account logon events.</P> Wed, 29 Jan 2014 00:39:30 GMT lukejadamec 2014-01-29T00:39:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Windows-domain-log-in-data/m-p/128811#M26439 <P>Hi All,</P> <P>I am trying to collect data for Windows log on/off time, user and machine. I am running Splunk enterprise 6 on a linux. Is there any "easy" way to get this data to splunk without using forwarders or splunk app for active directory?</P> <P>Thanks. </P> Tue, 28 Jan 2014 23:18:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Windows-domain-log-in-data/m-p/128811#M26439 Bill_B 2014-01-28T23:18:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Windows-domain-log-in-data/m-p/128812#M26440 <P>You can monitor a variety of Windows data without a forwarder, but there are tradeoffs to using WMI. Have you looked at the <A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/ConsiderationsfordecidinghowtomonitorWindowsdata">Windows data information</A> in the Getting Data In manual? It has information about WMI and ActiveDirectory, as well as event logs, registry, host, and performance data.</P> Wed, 29 Jan 2014 00:25:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Windows-domain-log-in-data/m-p/128812#M26440 ChrisG 2014-01-29T00:25:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Windows-domain-log-in-data/m-p/128813#M26441 <P>You don't need the active directory app to monitor user authentication by the domain controllers, but you do need the windows security log on the domain controllers. WMI can work, but WMI is not as reliable as ChrisG mentioned. <BR /> Also, monitoring only domain controllers will not show you local account logon events.</P> Wed, 29 Jan 2014 00:39:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Windows-domain-log-in-data/m-p/128813#M26441 lukejadamec 2014-01-29T00:39:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Windows-domain-log-in-data/m-p/128814#M26442 <P>Thanks for the response! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 30 Jan 2014 02:30:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Windows-domain-log-in-data/m-p/128814#M26442 Bill_B 2014-01-30T02:30:58Z https://community.splunk.com/t5/Getting-Data-In/How-to-get-Windows-domain-log-in-data/m-p/128815#M26443 <P>Yer welcome, but be warned. Trying to monitor logon logoff transactions with Anything is fraught with peril because Windows often times loses the logoff part. Perhaps with the 6.1 Splunk you can create a knowledge object that associates a system shutdown with a logoff, but I've not tried it.</P> Thu, 30 Jan 2014 03:00:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-get-Windows-domain-log-in-data/m-p/128815#M26443 lukejadamec 2014-01-30T03:00:17Z