All Apps and Add-ons

Splunk App for Windows Infrastructure: How to get logon and logoff audit information for our network domain admins?

pateld
Explorer

Hi

Currently I am trying to configure "Splunk App for Windows Infrastructure". Our goal is audit Logon/Logoff Domain Administrator.
After downloading the app, I have configured it by using "Guided Setup" under "Tools and Settings" and perform required steps to enable this app.
For "Active Directory\User Overview", I can see the data, but for "Active Directory\User Audit" and "Active Directory/Administrator Audit" I don't see any data.

Am I missing anything here? How can I get logon/logoff audit information for our network domain admins?

Thanks

0 Karma

BenTan
Path Finder

Hi,

Not sure if this is related, we did face an issue with one of the Administrator Audit panels under the Active Directory section: Administrator Logons.

After troubleshooting, we discovered part of the search was incorrect which leads to inaccurate results return. The default search for the panel is as below:

eventtype=msad-successful-user-logons dest_nt_domain="$select242$" user="$select244$"|rename src as src_ip|`ip-to-host`|`fix-localhost`|lookup SiteInfo host|dedup consecutive=t Site,src_nt_host,src_ip|table _time,Site,src_nt_host,src_ip|rename src_nt_host as Workstation,src_ip as "IP Address"

Just remove the |rename src as src_ip and the panel should return the proper result.

Hope this help!

Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...