Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Active Directory User Logon Failures

omatsei
Explorer
‎05-07-2013 06:49 AM

I've got the Active Directory app installed, and everything is working except the User Logon Failures tab. The search is:

search eventtype=msad-failed-user-logons (host="HOSTNAME") | fields _time,signature,src_ip,src_host,src_nt_domain,user,Logon_Type

However, the data is coming in tagged with the host as "HOSTNAME.domain". If I modify the search manually to say:

search eventtype=msad-failed-user-logons (host="HOSTNAME.domain") | fields _time,signature,src_ip,src_host,src_nt_domain,user,Logon_Type

Everything works. Is there a conf file I need to change somewhere?

Tags (1)
0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎05-07-2013 11:21 AM

The host field is set on the Universal Forwarder configuration, and we expect it to be the plaintext host without the domain, which is normally how it happens. Unfortunately, the app is not written in a way that support host.domain tagging for the host. You will need to modify the app to support that.

Please feel free to file an enhancement request with out support group if you have a support contract.

0 Karma
Reply

omatsei
Explorer
‎05-07-2013 11:45 AM

Maybe I'm not explaining it right. The data is coming in tagged as "domaincontroller.domain", but I want it to be tagged as "domaincontroller". All the other data from the same domain controller, using the universal forwarder, is tagged as "domaincontroller". Why are the fields for the security stuff tagged differently?

0 Karma
Reply

omatsei
Explorer
‎05-07-2013 11:39 AM

I don't understand. I installed the Universal Forwarder on 5 domain controllers, as it required for the active directory app. Considering everything I've done is a completely out-of-the-box install, how can it not work?

0 Karma
Reply

omatsei
Explorer
‎05-07-2013 07:42 AM

No, if I select "Security" then "User Utilization", it says "No matching fields exist", and no results under any of the boxes.

0 Karma
Reply

phoffman_splunk
Splunk Employee
Splunk Employee
‎05-07-2013 07:34 AM

does the "User Logon Failures tab" work now?

0 Karma
Reply

omatsei
Explorer
‎05-07-2013 07:25 AM

I just added hat. Is there any way to test that app?

0 Karma
Reply

phoffman_splunk
Splunk Employee
Splunk Employee
‎05-07-2013 07:17 AM

Assuming your on 1.1.4 since you just installed, check in your ldap.conf file and add the attribute alternatedomain in your domain stanza; so it will look something like:

[HOSTNAME.domain]
alternatedomain=HOSTNAME

http://docs.splunk.com/Documentation/ActiveDirectory/1.1.4/DeployAD/ConfiguretheSA-ldapsearchsupport...

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...