All Apps and Add-ons

When does the admon input generate an update event (admonEventType=Update)?

Path Finder

Hi Splunkers,
I am struggling a little bit with the documentation of the Active Directory Monitoring input of Splunk Add-on for Microsoft Windows.
http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/MonitorActiveDirectory

admon generates an event if there was a change on an AD object like for example a user. This is what the docs says:

When an AD object changes, Splunk
generates an update event.

But what does that mean exactly? Is the update event only generated, if there was a change of a group membership of a user or if somebody has changed his phone number? Or is an event generated even if the user just logs in to a system?

If you look to the sample log, there is a field called last logon, in my idea, if the last logon is changed, there will be a new event from admon. Am I right?

2/1/10
3:17:18.009 PM                 

02/01/2010 15:17:18.0099
dcName=stuff.splunk.com
admonEventType=Update
Names:
                objectCategory=CN=Computer,CN=Schema,CN=Configuration
                name=stuff2
                displayName=stuff2
                distinguishedName=CN=stuff2,CN=Computers
Object Details:
                sAMAccountType=805306369
                sAMAccountName=stuff2
                logonCount=4216
                accountExpires=9223372036854775807
                objectSid=S-1-5-21-3436176729-1841096389-3700143990-1190
                primaryGroupID=515
                pwdLastSet=06:30:13 pm, Sat 11/27/2010
                lastLogon=06:19:43 am, Sun 11/28/2010
                lastLogoff=0
                badPasswordTime=0
                countryCode=0
                codePage=0
                badPwdCount=0
                userAccountControl=4096
                objectGUID=blah
                whenChanged=01:02.11 am, Thu 01/28/2010
                whenCreated=05:29.50 pm, Tue 11/25/2008
                objectClass=top|person|organizationalPerson|user|computer
Event Details:
                uSNChanged=2921916
                uSNCreated=1679623
                instanceType=4
Additional Details:
                isCriticalSystemObject=FALSE
                servicePrincipalName=TERMSRV/stuff2|TERMSRV blah
                dNSHostName=stuff2.splunk.com
                operatingSystemServicePack=Service Pack 2
                operatingSystemVersion=6.0 (6002)
                operatingSystem=Windows Vista? Ultimate
localPolicyFlags=0
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi,
we implemented a Universal Forwarder ourself and I also had some questions regarding this topic. However, I don't get why people want to use the AD App, you're also restricted to Splunk running on Windows. Maybe read more about it here: http://blogs.splunk.com/2014/01/27/working-with-active-directory-on-splunk-universal-forwarders/

You cannot easily answer this by saying "yes" or "no". In most cases, the answer would be simply "no", a login is not logged as an admonEventType=Update. *
Splunk uses Microsoft's API to get change notifications (as mentioned in the blog above IIRC). A standard change notification for an object would be a password change (pwdLastSet). You can enable change notifications in the ASDI Editor if I am not wrong. But I am no AD guru, so better ask someone who knows how to enable object notifications for third-party applications.

* I am not talking about logons on the AD controller itself. Read more about some tips & tricks here: http://blogs.splunk.com/2012/10/21/splunk-app-for-active-directory-and-the-top-10-issues/

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hi,
we implemented a Universal Forwarder ourself and I also had some questions regarding this topic. However, I don't get why people want to use the AD App, you're also restricted to Splunk running on Windows. Maybe read more about it here: http://blogs.splunk.com/2014/01/27/working-with-active-directory-on-splunk-universal-forwarders/

You cannot easily answer this by saying "yes" or "no". In most cases, the answer would be simply "no", a login is not logged as an admonEventType=Update. *
Splunk uses Microsoft's API to get change notifications (as mentioned in the blog above IIRC). A standard change notification for an object would be a password change (pwdLastSet). You can enable change notifications in the ASDI Editor if I am not wrong. But I am no AD guru, so better ask someone who knows how to enable object notifications for third-party applications.

* I am not talking about logons on the AD controller itself. Read more about some tips & tricks here: http://blogs.splunk.com/2012/10/21/splunk-app-for-active-directory-and-the-top-10-issues/

View solution in original post

0 Karma

Path Finder

Hi, thanks for taking the time to give a detailed answer.
We will now use a different approach using powershell with the AD module to get this information out of AD.

0 Karma