- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk App for Windows Infrastructure: How to get logon and logoff audit information for our network domain admins?
Hi
Currently I am trying to configure "Splunk App for Windows Infrastructure". Our goal is audit Logon/Logoff Domain Administrator.
After downloading the app, I have configured it by using "Guided Setup" under "Tools and Settings" and perform required steps to enable this app.
For "Active Directory\User Overview", I can see the data, but for "Active Directory\User Audit" and "Active Directory/Administrator Audit" I don't see any data.
Am I missing anything here? How can I get logon/logoff audit information for our network domain admins?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Not sure if this is related, we did face an issue with one of the Administrator Audit panels under the Active Directory section: Administrator Logons.
After troubleshooting, we discovered part of the search was incorrect which leads to inaccurate results return. The default search for the panel is as below:
eventtype=msad-successful-user-logons dest_nt_domain="$select242$" user="$select244$"|rename src as src_ip|`ip-to-host`|`fix-localhost`|lookup SiteInfo host|dedup consecutive=t Site,src_nt_host,src_ip|table _time,Site,src_nt_host,src_ip|rename src_nt_host as Workstation,src_ip as "IP Address"
Just remove the |rename src as src_ip
and the panel should return the proper result.
Hope this help!
