Splunk Search

Why are user details missing in the splunk logs?

mailmetoramu
Explorer

Hello All,

I have an ongoing issue with my Splunk environment. Actually an user "Alex" have added remote desktop users "Brad" on a server "xyzabc.com"

But when i m reviewing my splunk logs, it shows only user "Alex" details, its not showing the name of "Brad" in the logs. Instead of its showing only the Security ID of "Brad"

Please let me know what causing this issue.

Thanks,

Ramu.R

Tags (1)
0 Karma
1 Solution

nickhills
Ultra Champion

If you can not use evt_resolve_ad_obj the next best approach is to use a lookup.

Install and configure the Splunk supporting Add-On for AD, if you don't already have it:
https://splunkbase.splunk.com/app/1151/

Then try a search like this:

| ldapsearch domain=YOURDOMAIN search="(&(objectclass=user)(!(objectClass=computer)))" attrs="sAMAccountName,objectSid" 
| eval identity=lower(sAMAccountName) 
| rename objectSid as sid
| table identity sid
| outputlookup sid-identity.csv

This will give you a list of all the SIDs for your users (if it looks ok, schedule this to run once a day etc.)

Go back to your windows group membership logs, and look at your fields, if you have the TA installed you should have a field called Security_ID. (If not, or its not extracting correctly, you may want to extract it yourself.

This inline rex will give you a quick and dirty result.

| rex "Subject:\s+Security ID:\s+(?P<Security_ID>.*)\s+"

Then lookup that SID in your lookup file:

|lookup sid-identity.csv sid as Security_ID OUTPUT identity

You should now have a field called identity which contains the samAccountName for the SID.

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

If you can not use evt_resolve_ad_obj the next best approach is to use a lookup.

Install and configure the Splunk supporting Add-On for AD, if you don't already have it:
https://splunkbase.splunk.com/app/1151/

Then try a search like this:

| ldapsearch domain=YOURDOMAIN search="(&(objectclass=user)(!(objectClass=computer)))" attrs="sAMAccountName,objectSid" 
| eval identity=lower(sAMAccountName) 
| rename objectSid as sid
| table identity sid
| outputlookup sid-identity.csv

This will give you a list of all the SIDs for your users (if it looks ok, schedule this to run once a day etc.)

Go back to your windows group membership logs, and look at your fields, if you have the TA installed you should have a field called Security_ID. (If not, or its not extracting correctly, you may want to extract it yourself.

This inline rex will give you a quick and dirty result.

| rex "Subject:\s+Security ID:\s+(?P<Security_ID>.*)\s+"

Then lookup that SID in your lookup file:

|lookup sid-identity.csv sid as Security_ID OUTPUT identity

You should now have a field called identity which contains the samAccountName for the SID.

If my comment helps, please give it a thumbs up!

mailmetoramu
Explorer

Hello Nickhill,

Thanks a lot for the effort you are making to get this answer, you rock 🙂

Let me try this and keep you update with the progress.

Thanks,

Ramu.R

0 Karma

mailmetoramu
Explorer

Hi Nickhill,

In my Splunk environment Kaspersky logs, I was able to extract a few more fields based. However, looking at some of the logs, where viruses are found, I'm not sure what the action should be since there is nothing in the logs indicating what it should be.

The logs that contain "GNRL_EV_VIRUS_FOUND" - the action is currently mapping to unknown with the automatic lookup that is in place. This is happening because we are not able to determine what action should be, i believe this should be mapped to "allowed", but not entirely sure.

I was not able to find any Kaspersky documentation that would help determine this. Are you able to provide any Kaspersky documentation that could help? Also if any documentation regarding the logs for field mapping.

Looking for your reply.

Thanks,

Ramu.R

0 Karma

nickhills
Ultra Champion

Hi Ramu, probably best to post this in a new question. I'll try and take a look.

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

You need to define/add evt_resolve_ad_obj = 1 to the inputs.conf stanza for the security event log.

This will force the Splunk UF to try to resolve the SID to a user account

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Windows_Event_Log_Monitor

If my comment helps, please give it a thumbs up!

mailmetoramu
Explorer

Thanks a lot Nickhill, let me try this and will update you with the progress soon.

0 Karma

mailmetoramu
Explorer

Did some research on this and came to know that it has been turn that off by default is because it causes a lot of lag with the events (minutes to hours) reaching Splunk. It can also cause resource issues as well as this is done at the universal forwarder level. Also, seeing that we do not have universal forwarders on all of your Windows hosts, we have installed UF on Windows event collector and getting the events to Splunk .I am not entirely sure this would work as expected.

This is directly from the same link you sent:

  • If you set this setting to 1, the input resolves the Active Directory Security IDentifier (SID) objects to their canonical names for a specific Windows Event Log channel.
  • If you enable the setting, the rate at which the input reads events on high-traffic Event Log channels can decrease. Latency can also increase during event acquisition. This is due to the overhead involved in performing AD translations.

I agree this was a great solution, but in my environment we need look for some other ways. Is there any other ways to get my request done apart from the solution you provided.

Thanks,

Ramu.R

0 Karma

nickhills
Ultra Champion

The time lag is directly proportionate to the number of events it performs the resolution against.
If the DC is very very busy, yes there can be some latency, but its bearable in my environment - in my experience I have not experienced "a lot of lag", but each env is different.

I will post another answer shortly which covers a different approach.

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...