https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-display-successful-login/m-p/302570#M91062 <P>Thanks for this. I've looked through it and it will get me the info I want based on the current Domain Admins group. I am hoping there's a way to update the information from Domain Admins each time I run the query.</P> Fri, 17 Feb 2017 17:45:35 GMT scottwhittier 2017-02-17T17:45:35Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-display-successful-login/m-p/302567#M91059 <P>Pretty new to all this.</P> <P>I've got a Splunk 6.5.1 environment gathering data from Windows servers/desktops and Active Directory (AD). Need to create a search that will show me all login attempts and successes by members of the Domain Admins group. I can search data about the logins and I can get group membership via SA-LDAPSearch. How do I make the info about the Domain Admin group members available to the logins search?</P> <P>TIA</P> Thu, 16 Feb 2017 22:04:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-display-successful-login/m-p/302567#M91059 scottwhittier 2017-02-16T22:04:57Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-display-successful-login/m-p/302568#M91060 <P>This may help:</P> <P><A href="https://answers.splunk.com/answers/499526/how-to-search-for-logonlogoff-activity-of-domain-a.html">https://answers.splunk.com/answers/499526/how-to-search-for-logonlogoff-activity-of-domain-a.html</A></P> Thu, 16 Feb 2017 22:13:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-display-successful-login/m-p/302568#M91060 nickhills 2017-02-16T22:13:17Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-display-successful-login/m-p/302569#M91061 <P>Hi scottwhittier,<BR /> to search login,logout and logfail events you have to insert in your search (eventually using a lookup) the following EventIds:<BR /> 528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539, 540, 4624, 4625, 4634, 4647, 4648, 4672, 4675, 4771, 17055, 18450, 18451, 18452, 18453, 18454, 18455, 18456, 18457, 18458, 18459, 18460, 18461, 24001, 24002, 24003 (the last ones are for Exchange and SQL Server).<BR /> Beware to duplicated Login Events: each access generates many login events, so you have to filter them using dedup or transaction commands.<BR /> Bye.<BR /> Giuseppe</P> Fri, 17 Feb 2017 08:22:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-display-successful-login/m-p/302569#M91061 gcusello 2017-02-17T08:22:18Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-display-successful-login/m-p/302570#M91062 <P>Thanks for this. I've looked through it and it will get me the info I want based on the current Domain Admins group. I am hoping there's a way to update the information from Domain Admins each time I run the query.</P> Fri, 17 Feb 2017 17:45:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-that-will-display-successful-login/m-p/302570#M91062 scottwhittier 2017-02-17T17:45:35Z