Splunk for Active Directory Dashboard Problem

jvargas80 · ‎02-26-2013

We are testing out the Active Directory for Splunk app and are running into one issue. We are getting data in from our DCs just fine and can query ldap and get results for our searches/dashboards except for one. Under the AD app and Security menu, we select User Logon Failures. Everything in the dashboard populates except for Failed Logons by IP Address. We get No matching events found. When we do an insect, we see the following message.

DEBUG: base lispy: [ AND host::sdcfisorl01 index::main source::wineventlog:security [ OR 4625 529 530 531 532 533 534 535 536 537 539 675 [ AND 4768 audit failure ] [ AND 4771 audit failure ] ] ]
DEBUG: search context: user="admin", app="Splunk_for_ActiveDirectory", bs-pathname="C:\Program Files\Splunk\etc"

We have taken the search (eventtype=msad-failed-user-logons (host="SDCFISORL01")|fields _time,signature,src_ip,src_host,src_nt_domain,user,Logon_Type) and entered it in a search box where we get results. We can't figure out why the dashboard is not showing any data.

Any thoughts?

m_varenard · ‎05-06-2015

Same issue here, I found out that the field "src_ip" that the dashboard is using doen't exist in the events.
So obviously the dashboard can't display anything...

Any idea why this field doesn't exist on events ?

mbalasko · ‎04-17-2013

I have this exact issue and if I replace dest_nt_domain with scr_nt_domain on 1.1.4 of the app it works. Help? Gonna open a ticket today.

rbw78 · ‎07-19-2013

I'm facing the same issue, some news about that ?

ahall_splunk · ‎02-26-2013

There is a big long list there of event codes that your Active Directory systems should be generating. Take a look for eventtype=msad-failed-user-logons (which expands out to the big long list of event codes) to see if you are getting the data. It's probably not there.

My go to reason is that there is a mistake in the audit settings for the GPO that is applied to the domain controllers. Since you are getting successful events, then take a look at the Logon Audit and Account Logon Audit and ensure that both Success and Failure is checked.

jvargas80 · ‎02-28-2013

The problem is that this will only work if the extracted field exists and has some value I can check. Anyone know how I can do conditional stats with extracted fields that may or may not be there?

jvargas80 · ‎02-28-2013

Okay it looks like my problem is the following. Some of the events do not include some of the extracted fields, like "src_ip" or "dest_nt_domain" do not exist for that event which the saved searches are using to do stats. It looks like I need to find a way to do a conditional stats. I've been looking at using the eval command like on this articlet...

| eval newfield=if(DNSNAME=="N/A",IP,DNSNAME) | stats count by newfield

http://splunk-base.splunk.com/answers/37007/conditional-field-choice

jvargas80 · ‎02-26-2013

We are getting both Successes and Failures into Splunk and have confirmed that the GPO is setup correctly. I can see that the dashboard calls the sec_logon_fail.xml view and that specific dashboard report calls the following search.

"

Not sure how to turn this into a complete search that I can try in the Splunk search app.

Splunk for Active Directory Dashboard Problem

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)