Ok, Great! So we just got splunk running. Now what.
I've gone out and told it to grab AD data, so I thought Hey, how do I find failed logon attempts on the network? Even better, can I set a trigger to alert me when someone fails X times and the account gets locked out?
Any takers for a rookie question?
You might want to take a look at the Splunk App for Active Directory, which includes a dashboard for user logon failures. If you're going to install that app, be sure to read the New to Splunk? topic in that manual.
You can set up an alert based on those saved searches; see the Splunk Alerting Manual for more information.
You should get yourself a copy of the Windows Security Operations Center.
It will have pre-built searches and dashboards for this activity.
However, you can do what you ask without the app. To find and alert on locked accounts use the following search:
index=main sourcetype="*security*" EventCode=644 OR EventCode=4740
In the upper right select Create > Alert, give it a name and select realtime, and select Next.
Select Send Email, and enter your email address.
Select Include Results - Inline
Select Next and select your Sharing option.
yeah, so apparently i'm not completely talking to active directory until I install some forwarders. I saw "add data source" for AD or whatever on the firstrun page and did that.
Apparently its a bit more involved.
You don't need to install forwarders necessarily.
Go to Manager > Data Inputs > Remote Event Log Collections and select New. This will use WMI. You will need a windows domain account.
The service account that runs splunkd on the indexer needs to be a domain account. Here is an older post that speaks to WMI:
Great! This worked. Thanks!
Now we're hammering the daily limit for the free system. May have to dial it back a notch. 🙂
Do you have the deployment monitor app installed?
The initial data dump will be pretty large because it will collect all of the logs.
The deployment monitor > License Usage tab will show the indexing volume change over time.
Splunk support can help with license violations.