Getting Data In

Can I monitor Active Directory with Splunk?

Splunk Employee
Splunk Employee

I have an Active Directory with several domain controllers. How can I monitor all activity in the Active Directory with Splunk?

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

AD monitoring is a feature provided by the Splunk Windows app, so you must have that app installed to use the feature. once you've installed Splunk for Windows, you can add your AD instance as an input to be monitored. note that since the feature is supported by the Splunk for Windows app in particular, you must do the configuring within that app's directory structure.

for full details, see http://docs.splunk.com/Documentation/Splunk/5.0/Data/AuditActiveDirectory

View solution in original post

Splunk Employee
Splunk Employee

Splunk can monitor all objects in AD. It starts by enumerating the entire directory and turning the resultant data into standard key-value pairs that Splunk interprets as fields (don't worry, your AD is not that big by Splunk standards... we promise).

From then on it monitors all changes made and records the new field values. It does this by tracking the 'universal serial number' (USN) that MSFT helpfully added to track replication changes. This too ends up in your Splunk.

With that info, you can monitor the health of your AD. Additionally, you can take all the meta data about users and computers and use it to annotate (i.e. do cross-lookups) your events at search time. For example, you can add a full name and phone number to a basic user name in a log event such as a change request.

You enable admon by turning on the input. A sample, disabled input is in the Windows Management sample app's inputs.conf that ships with Windows. You do not need the app to enable admon, but you must be running Splunk on a Windows box. Forwarders are fine if your primary indexer(s) are on *nix.

Splunk Employee
Splunk Employee

AD monitoring is a feature provided by the Splunk Windows app, so you must have that app installed to use the feature. once you've installed Splunk for Windows, you can add your AD instance as an input to be monitored. note that since the feature is supported by the Splunk for Windows app in particular, you must do the configuring within that app's directory structure.

for full details, see http://docs.splunk.com/Documentation/Splunk/5.0/Data/AuditActiveDirectory

View solution in original post

Path Finder

So a universal forwarder isn't necessary on the domain controller?

0 Karma

Splunk Employee
Splunk Employee

The AD monitoring happens by Splunk running splunk-admon.exe "scripted input", which only runs if windows app is enabled.

You can run splunk-admon.exe directly from the command line:

%splunk_home%\splunk.exe cmd splunk-admon.exe

Splunk is not required to be installed and run on the AD box itself to be able to monitor it. You can install it on a separate machine and by default it will connect to the default DC and monitor AD activity that way.

0 Karma