I installed the Splunk Support for Active Directory add-on on my Splunk Enterprise and I made a first test with the ldapsearch command:
| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" attrs="distinguishedName,objectCategory"
It works correctly, however, when I tried to run the ldapfilter command in order to get all user-logons events:
eventtype=msad-user-logons
| ldapfilter domain=mydomain search="(objectClass=user)" attrs="displayName"
It returns 0 results.
Is there any missing configurations or details I need to get this to produce results?
Thank you,
Another problem could be theeventtype
in your root search. To verify that this is the problem, can you try just running
eventtype=msad-user-logons
by itself and see if results are returned?
I don't understand why you'd want to run a huge base search like index=foo and then do a second filter using | search.
ALWAYS ALWAYS ALWAYS filter as much data in your base search as possible. You should only use |search or |where if you're filtering based on calculated fields that are generated by other commands in your search.
It's perfectly fine to use an eventtype in your base search.
I tried eventtype=msad-user-logons by itself it return nothing !
@jchampagne I just meant to suggest making sure that the eventtype worked.
I also realized the issue I was thinking of is this weird thing when you run an eventtype=*
as your root search - not eventtype=something
. However, the point was to verify that the eventtype was the issue (which seems to have helped)
I'd happily edit my answer to avoid the extra pipe.
If you go to Settings > EventTypes and search for "msad-user-logons", do you actually see it?
I'm looking through the everttypes for the latest version of the App for Windows Infrastructure and I do not see an eventtype with that name. The closest I can find is: msad-successful-user-logons
Eventually, i cannot see the eventtype "msad-user-logons".
Even eventtype=msad-successful-user-logons returns 0 results
how can i return events with this eventType?
FYI : I cannot open the App for Windows Infrastructure, here below the error message returned.
Aucune information de style ne semble associée à ce fichier XML. L'arbre du document est affiché ci-dessous.
"
Ok, it sounds like you've got some other problems going on with the App for Windows Infrastructure. If you want to use the event types from this app, I'd suggest you go back through the setup guide. Reinstall the app and make sure all of the technology add-ons are in their proper place.
With regard to your original question about using ldapfilter, all you need to do is craft a base search that will return usernames or some other token to pass onto the ldapfilter command. You don't have to use an eventtype from the App for Windows Infra.
Actually I’m using the App Splunk Supporting add-on for Active directory, I installed the forwarder on the active directory machine with TA-DNSServer-NT6, TA-DNSServer-NT6-eventgen and TA-DomainController-2012R2 apps
Regarding the App for Windows Infrastructure, I reinstalled the apps, and i got the same error !
In fact, I would like to make User Overview, failed Logons ...dashboards how can I proceed to do that ?
Thank you.
@sdaghfous, is this the App you're referring to? https://splunkbase.splunk.com/app/1151/
Have you run through the full installation of the App for Windows Infrastructure? If this app is not installed correctly with all of the supporting components, it will not work correctly and you won't be able to use the Event Types contained in the App for Windows Infrastructure.
If you're having problems even opening dashboards for the App for Windows Infra., please review the documentation and reinstall: http://docs.splunk.com/Documentation/MSApp/1.2.0/MSInfra/AbouttheSplunkAppforMSInfrastructure
If you're still having issues, I'd suggest opening an additional question on answers for that or contacting Splunk Support.
The ldapfilter and ldapsearch commands are provided by the "Splunk Support for Active Directory App" (https://splunkbase.splunk.com/app/1151/ ). However, this is only one component of the overall "App for Windows Infrastructure" and all of the supporting Add-Ons.
@jchampagne, yes im using this app link text
regarding the Splunk App for Windows Infrastructure app i already posted a question about this issue. https://answers.splunk.com/answers/341098/why-am-i-unable-to-access-the-splunk-app-for-windo.html.
what do you mean by "the supporting components" ?
I copied the downloaded package on my %splunk_home%\etc\apps\splunk_app_windows_infrastructure and i restarted splunk
@sdaghfous, there are various add-ons that need to get installed along with the App for Windows Infra. You can see them outlined here: http://docs.splunk.com/Documentation/MSApp/1.2.0/MSInfra/HowtodeploytheSplunkAppforWindowsInfrastruc...
I'm not sure why you're getting an XML error, but I would suspect there is some kind of permission issue or misconfiguration. Please ensure you're following the setup steps outlined in the documentation. I would also search the _internal index to see what kind of errors you're seeing in the splunkd.log. Have you opened a case with Splunk support for this?
However, to answer the main question being asked here, it looks like the search you're attempting to run is not returning results for two reasons:
Go to Settings>Event Types and fine msad-successful-user-logons, once you locate that event type, run the search or searches that make up that event type. Keep in mind that event types can be nested, so msad-successful-user-logons may be made up of multiple event types. In that case, you'd need to find the sub-event types and run the searches behind them.
Eventually all event types will get down to one of more base searches, run that search or searches. If you're still not getting data, then it is because you've got a problem with data ingestion.
At that point, look at the data you are getting in and determine what criteria is missing. Is the sourcetype correct? Are all of the necessary fields getting extracted? Do you have the proper technology add-ons (TAs) installed on the forwarders, indexers, and search heads?
You need to put dollar signs $ around the variable/field you're inserting into the ldap filter.
For example, if eventtype=msad-user-logons is returning a field called "user" in the resultset, I could then use an ldapfilter that looks like this:
| ldapfilter domain=mydomain search="(objectClass=$user$)" attrs="displayName"