Getting Data In

Can I monitor Active Directory with Splunk?

Ledio_Ago
Splunk Employee
Splunk Employee

I have an Active Directory with several domain controllers. How can I monitor all activity in the Active Directory with Splunk?

Tags (2)
1 Solution

piebob
Splunk Employee
Splunk Employee

AD monitoring is a feature provided by the Splunk Windows app, so you must have that app installed to use the feature. once you've installed Splunk for Windows, you can add your AD instance as an input to be monitored. note that since the feature is supported by the Splunk for Windows app in particular, you must do the configuring within that app's directory structure.

for full details, see http://docs.splunk.com/Documentation/Splunk/5.0/Data/AuditActiveDirectory

View solution in original post

cervelli
Splunk Employee
Splunk Employee

Splunk can monitor all objects in AD. It starts by enumerating the entire directory and turning the resultant data into standard key-value pairs that Splunk interprets as fields (don't worry, your AD is not that big by Splunk standards... we promise).

From then on it monitors all changes made and records the new field values. It does this by tracking the 'universal serial number' (USN) that MSFT helpfully added to track replication changes. This too ends up in your Splunk.

With that info, you can monitor the health of your AD. Additionally, you can take all the meta data about users and computers and use it to annotate (i.e. do cross-lookups) your events at search time. For example, you can add a full name and phone number to a basic user name in a log event such as a change request.

You enable admon by turning on the input. A sample, disabled input is in the Windows Management sample app's inputs.conf that ships with Windows. You do not need the app to enable admon, but you must be running Splunk on a Windows box. Forwarders are fine if your primary indexer(s) are on *nix.

piebob
Splunk Employee
Splunk Employee

AD monitoring is a feature provided by the Splunk Windows app, so you must have that app installed to use the feature. once you've installed Splunk for Windows, you can add your AD instance as an input to be monitored. note that since the feature is supported by the Splunk for Windows app in particular, you must do the configuring within that app's directory structure.

for full details, see http://docs.splunk.com/Documentation/Splunk/5.0/Data/AuditActiveDirectory

jared_anderson
Path Finder

So a universal forwarder isn't necessary on the domain controller?

0 Karma

Ledio_Ago
Splunk Employee
Splunk Employee

The AD monitoring happens by Splunk running splunk-admon.exe "scripted input", which only runs if windows app is enabled.

You can run splunk-admon.exe directly from the command line:

%splunk_home%\splunk.exe cmd splunk-admon.exe

Splunk is not required to be installed and run on the AD box itself to be able to monitor it. You can install it on a separate machine and by default it will connect to the default DC and monitor AD activity that way.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...