- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've got a default setup of Splunk (v 5.0.3) with the following:
Active Directory App. (1.2.1)
Sideview Utils (2.6.3)
SA-ldapsearch (1.1.9)
TA for Windows (4.6.3)
Universal Forwarder (5.0.3)
Everything appears to be working correctly - I am seeing log data sent to the indexer from two active directory/dns servers and I can pull up data on all of the menus within the app (security, change management, health, etc.) however... I am having problems finding specific events. I don't know if this is related to how we have our audit policies setup (Advanced Audit Policy, 2008 R2 domain) but suspect it is related.
Specifically, I am not seeing failed login attempts to the domain when a user is mistyping their passwords on a client workstation. I am seeing this type of event when an admin attempts a remote desktop to one of the Domain Controllers and fails.
Also, (most likely related to above) I am trying to use the "User Utilization" menu option and filter for a specific time period, but again, I am only seeing events showing up from users connecting directly to a DC (Admin/remote desktop) and not the client connections.
Any ideas here? Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured this out...
Basically, if you are using the Advanced Audit Configuration settings, you have to enable "Audit Kerberos Authentication Service" under Advanced Audit Configuration > Account Logon.
With this auditing enabled the Splunk App for Active Directory will begin picking up the following eventIDs from the Domain Controllers:
4768 – A Kerberos authentication ticket (TGT) was requested – In my test this was a BAD/UNKNOWN username
4771 – Kerberos pre-authentication failed – In my test this was a good username and BAD password
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured this out...
Basically, if you are using the Advanced Audit Configuration settings, you have to enable "Audit Kerberos Authentication Service" under Advanced Audit Configuration > Account Logon.
With this auditing enabled the Splunk App for Active Directory will begin picking up the following eventIDs from the Domain Controllers:
4768 – A Kerberos authentication ticket (TGT) was requested – In my test this was a BAD/UNKNOWN username
4771 – Kerberos pre-authentication failed – In my test this was a good username and BAD password
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Follow-up:
Suspecting an auditing issue on the DCs, I did some testing.
Logged off with my user account.
Tried to login with a bad username (TESTFAIL)
Tried to login with a good username and a BAD password
Logged in successfully
On the client device I see all the auditing correctly, 4634 for the logoff and 4625s for the failed login attempts. I then check the (2) Domain Controllers to see if I can find corresponding events, I looked by type and just at the general time in which I did this test, and I am not seeing anything.
Why aren't these audits captured on the DCs?
