https://community.splunk.com/t5/Getting-Data-In/Collecting-logon-logoff-logs-from-Active-Directory/m-p/238058#M46237 <P>When you say "DNS, Users and Groups" are not found, what do you mean exactly by that?<BR /> Did you activate a GPO to audit Logon/Logoff events? </P> Fri, 13 Jan 2017 14:28:39 GMT tfellinger 2017-01-13T14:28:39Z https://community.splunk.com/t5/Getting-Data-In/Collecting-logon-logoff-logs-from-Active-Directory/m-p/238057#M46236 <P>Hi,<BR /> I am trying to get the Windows Infrastructure all configured. For the most part I think I have it configured right but something are not working. I would like to collect logon/logoff logs from AD.</P> <P>I follow the docs about Windows Apps Infra and put Add-ons on my Splunkforwarder ( AD domain ) etc</P> <P>Domains, domain controllers, Group policy and Organizational Units are found but DNS, Users and Groups are not found.</P> <P>Any help to get this working would be appreciated.</P> <P>Excuse my English</P> <P>Thanks<BR /> Geoffrey</P> Fri, 13 Jan 2017 10:06:38 GMT https://community.splunk.com/t5/Getting-Data-In/Collecting-logon-logoff-logs-from-Active-Directory/m-p/238057#M46236 Djow 2017-01-13T10:06:38Z https://community.splunk.com/t5/Getting-Data-In/Collecting-logon-logoff-logs-from-Active-Directory/m-p/238058#M46237 <P>When you say "DNS, Users and Groups" are not found, what do you mean exactly by that?<BR /> Did you activate a GPO to audit Logon/Logoff events? </P> Fri, 13 Jan 2017 14:28:39 GMT https://community.splunk.com/t5/Getting-Data-In/Collecting-logon-logoff-logs-from-Active-Directory/m-p/238058#M46237 tfellinger 2017-01-13T14:28:39Z https://community.splunk.com/t5/Getting-Data-In/Collecting-logon-logoff-logs-from-Active-Directory/m-p/238059#M46238 <P>On the installation for Windows Infrastructure , After checking data, the App detects features to collect and then disable DNS, Users, Computers and Groups <BR /> However, on the Eventviewer on my Windows(AD controller and domain) and on Splunk research , i see the " Event ID 4624" that correspond to logon/logoff.<BR /> GPO to audit Audit account logon events, account management, logon events and Powershell are activated.</P> Fri, 13 Jan 2017 15:16:32 GMT https://community.splunk.com/t5/Getting-Data-In/Collecting-logon-logoff-logs-from-Active-Directory/m-p/238059#M46238 Djow 2017-01-13T15:16:32Z https://community.splunk.com/t5/Getting-Data-In/Collecting-logon-logoff-logs-from-Active-Directory/m-p/238060#M46239 <P>Hi Djow,<BR /> Collecting logon/logoff from Windows is difficult because every access generates 10-12 events and there are many automatic accesses of services, so it's difficult to display the real accesses to systems.<BR /> I filtered taking </P> <UL> <LI>Login EventCode=4624 OR EventCode=524</LI> <LI>Logfail EventCode=4625 OR EventCode=529</LI> <LI>Logout EventCode=4647 OR EventCode=551 and</LI> <LI>Logon_Type=2 OR Logon_Type=10) and making dedup for _time User host</LI> </UL> <P>Instead to have the active sessions I used a simple script for systems greater than 2008 seven:</P> <PRE><CODE>@echo off REM -------------------------------------- REM Controllo delle sessioni utente attive REM -------------------------------------- REM Get event date and time set date_time=%date% %time% REM Print the event date and time, this will be the event timestamp echo Current time: %date_time% REM print the current user session query user </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 12:26:51 GMT https://community.splunk.com/t5/Getting-Data-In/Collecting-logon-logoff-logs-from-Active-Directory/m-p/238060#M46239 gcusello 2020-09-29T12:26:51Z https://community.splunk.com/t5/Getting-Data-In/Collecting-logon-logoff-logs-from-Active-Directory/m-p/238061#M46240 <P>I found something about logs, i use Windows Server 2012 R2 in french and dashboards on Windows Infrastructure App don't read french logs so it didn't work. <BR /> Is there a way to resolve this ?</P> <P>Thanks </P> <P>Geoffrey</P> Tue, 17 Jan 2017 14:08:24 GMT https://community.splunk.com/t5/Getting-Data-In/Collecting-logon-logoff-logs-from-Active-Directory/m-p/238061#M46240 Djow 2017-01-17T14:08:24Z