Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Active Directory User Logon Failures

omatsei
Explorer
‎05-07-2013 06:49 AM

I've got the Active Directory app installed, and everything is working except the User Logon Failures tab. The search is:

search eventtype=msad-failed-user-logons (host="HOSTNAME") | fields _time,signature,src_ip,src_host,src_nt_domain,user,Logon_Type

However, the data is coming in tagged with the host as "HOSTNAME.domain". If I modify the search manually to say:

search eventtype=msad-failed-user-logons (host="HOSTNAME.domain") | fields _time,signature,src_ip,src_host,src_nt_domain,user,Logon_Type

Everything works. Is there a conf file I need to change somewhere?

Tags (1)
0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎05-07-2013 11:21 AM

The host field is set on the Universal Forwarder configuration, and we expect it to be the plaintext host without the domain, which is normally how it happens. Unfortunately, the app is not written in a way that support host.domain tagging for the host. You will need to modify the app to support that.

Please feel free to file an enhancement request with out support group if you have a support contract.

0 Karma
Reply

omatsei
Explorer
‎05-07-2013 11:45 AM

Maybe I'm not explaining it right. The data is coming in tagged as "domaincontroller.domain", but I want it to be tagged as "domaincontroller". All the other data from the same domain controller, using the universal forwarder, is tagged as "domaincontroller". Why are the fields for the security stuff tagged differently?

0 Karma
Reply

omatsei
Explorer
‎05-07-2013 11:39 AM

I don't understand. I installed the Universal Forwarder on 5 domain controllers, as it required for the active directory app. Considering everything I've done is a completely out-of-the-box install, how can it not work?

0 Karma
Reply

omatsei
Explorer
‎05-07-2013 07:42 AM

No, if I select "Security" then "User Utilization", it says "No matching fields exist", and no results under any of the boxes.

0 Karma
Reply

phoffman_splunk
Splunk Employee
Splunk Employee
‎05-07-2013 07:34 AM

does the "User Logon Failures tab" work now?

0 Karma
Reply

omatsei
Explorer
‎05-07-2013 07:25 AM

I just added hat. Is there any way to test that app?

0 Karma
Reply

phoffman_splunk
Splunk Employee
Splunk Employee
‎05-07-2013 07:17 AM

Assuming your on 1.1.4 since you just installed, check in your ldap.conf file and add the attribute alternatedomain in your domain stanza; so it will look something like:

[HOSTNAME.domain]
alternatedomain=HOSTNAME

http://docs.splunk.com/Documentation/ActiveDirectory/1.1.4/DeployAD/ConfiguretheSA-ldapsearchsupport...

Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...