topic Re: Active Directory User Logon Failures in Getting Data In

Active Directory User Logon Failures

omatsei — Mon, 28 Sep 2020 13:50:54 GMT

I've got the Active Directory app installed, and everything is working except the User Logon Failures tab. The search is:

search eventtype=msad-failed-user-logons (host="HOSTNAME") | fields _time,signature,src_ip,src_host,src_nt_domain,user,Logon_Type

However, the data is coming in tagged with the host as "HOSTNAME.domain". If I modify the search manually to say:

search eventtype=msad-failed-user-logons (host="HOSTNAME.domain") | fields _time,signature,src_ip,src_host,src_nt_domain,user,Logon_Type

Everything works. Is there a conf file I need to change somewhere?

Re: Active Directory User Logon Failures

phoffman_splunk — Tue, 07 May 2013 14:17:23 GMT

Assuming your on 1.1.4 since you just installed, check in your ldap.conf file and add the attribute alternatedomain in your domain stanza; so it will look something like:

[HOSTNAME.domain]
alternatedomain=HOSTNAME

http://docs.splunk.com/Documentation/ActiveDirectory/1.1.4/DeployAD/ConfiguretheSA-ldapsearchsupportingaddon

Re: Active Directory User Logon Failures

omatsei — Tue, 07 May 2013 14:25:27 GMT

I just added hat. Is there any way to test that app?

Re: Active Directory User Logon Failures

phoffman_splunk — Tue, 07 May 2013 14:34:00 GMT

does the "User Logon Failures tab" work now?

Re: Active Directory User Logon Failures

omatsei — Tue, 07 May 2013 14:42:27 GMT

No, if I select "Security" then "User Utilization", it says "No matching fields exist", and no results under any of the boxes.

Re: Active Directory User Logon Failures

ahall_splunk — Tue, 07 May 2013 18:21:13 GMT

The host field is set on the Universal Forwarder configuration, and we expect it to be the plaintext host without the domain, which is normally how it happens. Unfortunately, the app is not written in a way that support host.domain tagging for the host. You will need to modify the app to support that.

Please feel free to file an enhancement request with out support group if you have a support contract.

Re: Active Directory User Logon Failures

omatsei — Tue, 07 May 2013 18:39:36 GMT

I don't understand. I installed the Universal Forwarder on 5 domain controllers, as it required for the active directory app. Considering everything I've done is a completely out-of-the-box install, how can it not work?

Re: Active Directory User Logon Failures

omatsei — Tue, 07 May 2013 18:45:16 GMT

Maybe I'm not explaining it right. The data is coming in tagged as "domaincontroller.domain", but I want it to be tagged as "domaincontroller". All the other data from the same domain controller, using the universal forwarder, is tagged as "domaincontroller". Why are the fields for the security stuff tagged differently?