topic Re: monitoring active directory in Splunk Search

Am I taking the correct steps for monitoring active directory and analyzing user accounts?

hichem_khalfi — Tue, 26 Jul 2022 14:20:50 GMT

Good morning all
please i'm in a big das that i can't solve it: i'm a student and i'm preparing my graduation project and it's my first time with splunk
I want to know if my steps are correct or not
I want to analyze the user accounts of my active directory: I want to work only on the information concerning the connection of the accounts (login, log off...) and also (creation, modification, deletion..)
for that I installed on my splunk server the 3 apps:
Splunk_TA_windows
Splunk_TA_microsoft_ad
SA-ldapsearch (I don't know why I can't save the domain password on this add on despite the connection being successful)
after that I copied the 2 folders "Splunk_TA_windows" and
"Splunk_TA_microsoft_ad" to my AD server in forrwadersplunk folder path
after that I configured this input file and I copied it to a new "local" folder on the 2 servers

************************

###### Monitor Inputs for Active Directory ######
[monitor://C:\debug\netlogon.log]
sourcetype=MSAD:NT6:Netlogon
disabled=0
renderXml=false
index=main

[WinEventLog://Security]
disabled = 0
index=main
start_from oldest
current_only = 0
evt_resolve_ad_obj = 1
Interval checkpoint = 5
whitelist=4724,4725,4726,4624,4625,4720,4732,4722,4738,4742,4729,4715,4719,4768,4769
blacklist1 = EventCode="4662" Message="Object Type: (?!\s*group Policy Container)"
blacklist2 = EventCode="566" Message="Object Type: (?!\s*group PolicyContainer)"
renderXml=false

[WinEventLog://Microsoft-windows-Terminalservices-LocalSessionManager/operational]
disabled = 0
index=main
renderXml=false

******************

Am I missing another step??
is the input file configuration correct??
can I have my needs with this configuration ???

thank you for answering me because I can not find the right answer on the net and I have a big problem: I find incomplete information on some users when I launch searches concerning their opening and closing of sessions.

I apologize for this long message but I must explain all the details to you to have the best advice

Re: monitoring active directory

gcusello — Tue, 26 Jul 2022 09:27:46 GMT

Hi @hichem_khalfi,

at first, don't install the above TAs in that folder, but in the $SPLUNK_HOME\etc\apps folcer.

then, I suppose that you already configured your forwarders to send data to Splunk, if not, see in vido or docs (https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Data/Getstartedwithgettingdatain).

Then SA-ldapsearch must be installed on your Splunk server, not on the Forwarders: it's used to make some ldap calls to extract data.

About information about login events, you have to search events with:

EventCode=4624 (login)
EventCode=4625 (logfail)
EventCode=4634 (logout)

Ciao.

Giuseppe

Re: monitoring active directory

hichem_khalfi — Tue, 26 Jul 2022 09:38:44 GMT

tank you for your answer

no no I installed the redictor only on the active directory server, I only checked the box: enable AD monitoring because I want the information to come from the server
after that I created the folder on the 2 paths
SPLUNK_HOME\etc\apps folder\local
SPLUNK_FORWARDER\etc\apps folder\local
in these 2 paths I put the same configuration file input.conf

I know the eventcode but the problem that I can have users and others not:
for example I have 4 users who logged in at 9am but on the console I find only 2

the problem does not come from the user station because I only take all the information from the server and for that I asked for the best procedure for monitoring users active directory

Re: monitoring active directory

hichem_khalfi — Tue, 26 Jul 2022 09:53:32 GMT

like I said : on the Splunk server I installed Splunk_TA_windows Splunk_TA_microsoft_ad SA-ldapsearch (I don't know why I can't save the domain password on this add on despite the connection being successful) on the active directory server which is my Forwarder I installed only Splunk_TA_windows Splunk_TA_microsoft_ad I used only one Forwarder because normally the AD server can provide me with the information of all users. but despite that I can't find information on a few users 1/ do I have to install SA-ldapsearch?? thank you for briefly describing his role 2/ please check my input.conf file

Re: monitoring active directory

gcusello — Tue, 26 Jul 2022 09:57:57 GMT

Hi @hichem_khalfi,

if you see data on your Splunk, TAs are correctly configurated.

If you see only a part of logs, maybe some logins are local and not to the Domain.

To be more sure, you should installa Forwarder also on the clients.

As i said the splunkforwarder app in $SPLUNK_HOME\etc/apps, cannot be used, you have to put your TAs only in the $SPLUNK_HOME\etc\apps, that should be "C:\program Files\splunkforwarder\etc\apps"

Ciao.

Giuseppe

Re: monitoring active directory

gcusello — Tue, 26 Jul 2022 10:04:14 GMT

Hi @hichem_khalfi,

your inputs.conf is correct.

About SA-ldapsearch, you have to install it in your Splunk server, and you must be sure that the firewall routes are open between the Splunk server and the DC.

Ciao.

Giuseppe

Re: monitoring active directory

hichem_khalfi — Tue, 26 Jul 2022 10:06:41 GMT

so my first mistake: I installed TA WINDOWS on splunk server and I have to delete it..ok.
and considering "TA_microsoft_ad" I install it on the splunk server and forward it or not??
I apologize but I need to know the correct configuration because every one tells me contradictory information to the other

Re: monitoring active directory

hichem_khalfi — Tue, 26 Jul 2022 10:11:54 GMT

Regarding SA-ldapsearch I have already installed on splunk server only and I did the configuration successfully and the test passed
but I can no longer save the password: if I close his tab and I come back: I find all the saved information except the password
I don't understand why and can this thing cause problems, I insist that when I type the password again I always had a connection with the AD server

Re: monitoring active directory

gcusello — Tue, 26 Jul 2022 10:20:35 GMT

Hi @hichem_khalfi,

TAs must be installed both on the Splunk Server and on the Forwarders: on the first are used for parsing, on the second for inputs.

About your other question (SA-ldapsearch) I encountered this problem some years ago, but I thought that was solved!

Anyway, in Community you should find an answer for this.

Ciao.

Giuseppe

Re: monitoring active directory

JacekF — Tue, 26 Jul 2022 10:42:08 GMT

Please note, that you need to put local folder inside the application folder, not directly as a subdir of $SPLUNK_HOME\etc\apps.

If you are using Splunk_TA_windows app, you need to put your inputs.conf in the following local folder:

$SPLUNK_HOME\etc\apps\Splunk_TA_windows\local

With regards to ldapsearch, test if it works by executing some search with | ldapsearch command. In my environment once saved, password is also not visible.

Re: monitoring active directory

hichem_khalfi — Tue, 26 Jul 2022 10:59:12 GMT

1- I don't understand do I have to install TA WINDOWS on the splunk server or not because gcusello said no???

2- yes i choosed this path

3- i used this command now and i had result

| ldapsearch domain=TRANSVET search="(objectClass=user)" attrs="sAMAccountName,cn"

so i have connection between splnk server and server active directory but why i cant save the password , in my environment i always find the empty password box and i retype it evry time

Re: monitoring active directory

gcusello — Tue, 26 Jul 2022 11:02:37 GMT

Hi @hichem_khalfi,

as you can read in my answer, I said that you have to install the TA-Windows both on Splunk Server and Forwarders.

As I said: on Splunk server it's used for parsing and on Forwarders for inputs.

ciao.

Giuseppe