Archive
Highlighted

Why are user details missing in the splunk logs?

Explorer

Hello All,

I have an ongoing issue with my Splunk environment. Actually an user "Alex" have added remote desktop users "Brad" on a server "xyzabc.com"

But when i m reviewing my splunk logs, it shows only user "Alex" details, its not showing the name of "Brad" in the logs. Instead of its showing only the Security ID of "Brad"

Please let me know what causing this issue.

Thanks,

Ramu.R

Tags (1)
0 Karma
Highlighted

Re: Why are user details missing in the splunk logs?

Ultra Champion

You need to define/add evt_resolve_ad_obj = 1 to the inputs.conf stanza for the security event log.

This will force the Splunk UF to try to resolve the SID to a user account

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor

Highlighted

Re: Why are user details missing in the splunk logs?

Explorer

Thanks a lot Nickhill, let me try this and will update you with the progress soon.

0 Karma
Highlighted

Re: Why are user details missing in the splunk logs?

Explorer

Did some research on this and came to know that it has been turn that off by default is because it causes a lot of lag with the events (minutes to hours) reaching Splunk. It can also cause resource issues as well as this is done at the universal forwarder level. Also, seeing that we do not have universal forwarders on all of your Windows hosts, we have installed UF on Windows event collector and getting the events to Splunk .I am not entirely sure this would work as expected.

This is directly from the same link you sent:

  • If you set this setting to 1, the input resolves the Active Directory Security IDentifier (SID) objects to their canonical names for a specific Windows Event Log channel.
  • If you enable the setting, the rate at which the input reads events on high-traffic Event Log channels can decrease. Latency can also increase during event acquisition. This is due to the overhead involved in performing AD translations.

I agree this was a great solution, but in my environment we need look for some other ways. Is there any other ways to get my request done apart from the solution you provided.

Thanks,

Ramu.R

0 Karma
Highlighted

Re: Why are user details missing in the splunk logs?

Ultra Champion

The time lag is directly proportionate to the number of events it performs the resolution against.
If the DC is very very busy, yes there can be some latency, but its bearable in my environment - in my experience I have not experienced "a lot of lag", but each env is different.

I will post another answer shortly which covers a different approach.

0 Karma
Highlighted

Re: Why are user details missing in the splunk logs?

Ultra Champion

If you can not use evt_resolve_ad_obj the next best approach is to use a lookup.

Install and configure the Splunk supporting Add-On for AD, if you don't already have it:
https://splunkbase.splunk.com/app/1151/

Then try a search like this:

| ldapsearch domain=YOURDOMAIN search="(&(objectclass=user)(!(objectClass=computer)))" attrs="sAMAccountName,objectSid" 
| eval identity=lower(sAMAccountName) 
| rename objectSid as sid
| table identity sid
| outputlookup sid-identity.csv

This will give you a list of all the SIDs for your users (if it looks ok, schedule this to run once a day etc.)

Go back to your windows group membership logs, and look at your fields, if you have the TA installed you should have a field called Security_ID. (If not, or its not extracting correctly, you may want to extract it yourself.

This inline rex will give you a quick and dirty result.

| rex "Subject:\s+Security ID:\s+(?P<Security_ID>.*)\s+"

Then lookup that SID in your lookup file:

|lookup sid-identity.csv sid as Security_ID OUTPUT identity

You should now have a field called identity which contains the samAccountName for the SID.

View solution in original post

Highlighted

Re: Why are user details missing in the splunk logs?

Explorer

Hello Nickhill,

Thanks a lot for the effort you are making to get this answer, you rock 🙂

Let me try this and keep you update with the progress.

Thanks,

Ramu.R

0 Karma
Highlighted

Re: Why are user details missing in the splunk logs?

Explorer

Hi Nickhill,

In my Splunk environment Kaspersky logs, I was able to extract a few more fields based. However, looking at some of the logs, where viruses are found, I'm not sure what the action should be since there is nothing in the logs indicating what it should be.

The logs that contain "GNRLEVVIRUS_FOUND" - the action is currently mapping to unknown with the automatic lookup that is in place. This is happening because we are not able to determine what action should be, i believe this should be mapped to "allowed", but not entirely sure.

I was not able to find any Kaspersky documentation that would help determine this. Are you able to provide any Kaspersky documentation that could help? Also if any documentation regarding the logs for field mapping.

Looking for your reply.

Thanks,

Ramu.R

0 Karma
Highlighted

Re: Why are user details missing in the splunk logs?

Ultra Champion

Hi Ramu, probably best to post this in a new question. I'll try and take a look.

0 Karma