I've got a default setup of Splunk (v 5.0.3) with the following:
Active Directory App. (1.2.1)
Sideview Utils (2.6.3)
TA for Windows (4.6.3)
Universal Forwarder (5.0.3)
Everything appears to be working correctly - I am seeing log data sent to the indexer from two active directory/dns servers and I can pull up data on all of the menus within the app (security, change management, health, etc.) however... I am having problems finding specific events. I don't know if this is related to how we have our audit policies setup (Advanced Audit Policy, 2008 R2 domain) but suspect it is related.
Specifically, I am not seeing failed login attempts to the domain when a user is mistyping their passwords on a client workstation. I am seeing this type of event when an admin attempts a remote desktop to one of the Domain Controllers and fails.
Also, (most likely related to above) I am trying to use the "User Utilization" menu option and filter for a specific time period, but again, I am only seeing events showing up from users connecting directly to a DC (Admin/remote desktop) and not the client connections.
Suspecting an auditing issue on the DCs, I did some testing.
Logged off with my user account.
Tried to login with a bad username (TESTFAIL)
Tried to login with a good username and a BAD password
Logged in successfully
On the client device I see all the auditing correctly, 4634 for the logoff and 4625s for the failed login attempts. I then check the (2) Domain Controllers to see if I can find corresponding events, I looked by type and just at the general time in which I did this test, and I am not seeing anything.