All Apps and Add-ons

Splunk App for Windows Infrastructure: In what index should Active Directory Data be stored?

Communicator

Not sure how this slipped past us when we installed the Splunk App for Windows Infrastructure, but we've got a sourcetype called ActiveDirectory that is going to our main index that I need to move elsewhere. I believe it's in main due to default settings, but I'm not finding the stanza where the sourcetype ActiveDirectory is being set or what's driving the collection of this data so it's unclear where I should add the index stanza.

We currently have:
Index windows that contains sourcetype DhcpSrvLog that comes from a custom DHCP app that copies stanzas from Splunk_TA_windows

Index wineventlog that contains sourcetypes (coming from Splunk_TA_windows/default/inputs.conf):

WinEventLog:Application
WinEventLog:Security
WinEventLog:System
(and coming from TA-DomainController-201R2/default/inputs.conf)
WinEventLog:DFS-Replication
WinEventLog:Directory-Service

Then also the index msad that contains the sourcetypes also coming from TA-DomainController-201R2/default/inputs.conf:
MSAD:NT6:Health
MSAD:NT6:Netlogon
MSAD:NT6:SiteInfo
Powershell:ScriptExecutionErrorRecord
Powershell:ScriptExecutionSummary

We also have perfmon index, but we've disabled all perfmon functions at the request of our DC admins due to performance hits.

Our PDC does also has the app TA-DomainController-2012R2 that contains the local/inputs.conf stanza:

[admon://ADMonitoring]
targetDC = <hostname>
baseline=false
disabled = false

I'd tend to think this is where the index for the ActiveDirectory sourcetype would be set, but I'm not finding any documentation to support that idea.

I need to know
1) If it would be best practice to include this sourcetype in one of the existing indexes or if keeping it in its own index would be preferred.
2) Is the is the admon://ADMonitoring stanza the correct place to designate the index for this data, or am I confused about what that stanza does?

Thank you!

0 Karma

SplunkTrust
SplunkTrust

Per Splunk TA for Active Directory:
https://splunkbase.splunk.com/app/3207/
indexes.conf has msad
and inputs for [admon] are as follows:
[admon://NearestDC]
monitorSubtree = 1
interval=3600
disabled=false
index=msad

cheers

0 Karma

Builder

Hi. Did you find an answer for what to do with your ActiveDirectory logs? I'm facing the same issue here.

0 Karma

SplunkTrust
SplunkTrust

the [admon] stanza comes with no index specification. you can place it in any index you would like by indicating one. I have seen many organizations point it to index = msad
hope it helps

0 Karma

Builder

Thank you for you answer. I was actually wondering if there's a TA for the ActiveDirectory logs that can map them to CIM. If that's even possible at all?

0 Karma

SplunkTrust
SplunkTrust

there is:
https://splunkbase.splunk.com/app/3207/
inputs.conf has admon as follow:
[admon://NearestDC]
monitorSubtree = 1
interval=3600
disabled=false
index=msad

0 Karma

Builder

Maybe I'm missing something here, but I can't see that this app has a tags.conf, which I understand is needed to map logs to CIM. My events looks like the samples presented by Splunk in the documentation.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/MonitorActiveDirectory#Sample_AD_monitoring_o...

0 Karma

Motivator

if it's not being set within the inputs.conf, then check the transforms.conf / props.conf and see if it's using a REGEX or something to define / transform the data before indexing. NIX app does that with syslog data.

0 Karma

Communicator

Thanks for the suggestion. I've gone through all the conf files, both default and local, for all apps that are installed on the DC the ActiveDirectory sourcetype is coming from... no where is there anything indicating sourcetype=ActiveDirectory.

As stated originally, the closest thing I can find is the admon://ADMonitoring stanza

0 Karma

Path Finder

am also facing similar issue, so far didn't find any solution for this. Could any one fixed please help me on the same.

0 Karma