All Apps and Add-ons
Highlighted

Event-level filtering based on LDAP query

Path Finder

Anyone know how I can do event-level filtering that matches events based on membership in an AD group?

Specifically, I'm looking to send any and all events that have to do with the members of the "domain administrators" Active Directory group to a separate index. From there I can control permissions to that index to keep Domain Admin activity segregated. (Of course, the concept could be applied to any other AD group, OU, etc.)

Can event-level filtering be done by matching events with the results of an LDAP query, or CSV lookup, where the CSV is generated by a scheduled non-splunk job??

(Or, do I have to write a shell script to do an LDAP query and figure out how to safely update the appropriate config files using the script??)

0 Karma
Highlighted

Re: Event-level filtering based on LDAP query

Engager

I have the same question. Did you come up with a solution?

0 Karma
Highlighted

Re: Event-level filtering based on LDAP query

Path Finder

No, I never did. Splunk support was also unable to provide a way to do this. The only thing I can think to do is to custom-write a script that does the ldap query for you and modifies a regex in the splunk configs.... but last I knew there was no built in way to do this. However -- I haven't checked to see if this might have been a new feature in recent releases.

0 Karma
Highlighted

Re: Event-level filtering based on LDAP query

Path Finder

Heh... just re-read my original question... seems I'm at the same conclusion I was when I wrote the question. External script would have to be the solution.

0 Karma
Highlighted

Re: Event-level filtering based on LDAP query

Communicator

i think this can be done now, i'm just not up to writing the search. any thoughts on how this can be done with ldapsearch?

0 Karma
Highlighted

Re: Event-level filtering based on LDAP query

Communicator

have you since been able to accomplish this with ldapsearch?

0 Karma
Highlighted

Re: Event-level filtering based on LDAP query

Communicator

It seems like this is exactly what ldapsearch is meant to do, but I can't figure out the search. I have my event search, then I want to filter events if the user field name matches the sAMAaccount field as memberOf an ldap group.

0 Karma