Getting Data In

Can you help me with a dhcp user monitoring issue on a Windows Active Directory (AD) Server?

TitanAE
New Member

I have a Windows AD Server that I'm monitoring in my home Splunk lab. I'm also collecting Syslog Data from my firewall. My hope was to see users traversing the network and pulling a dhcp address from their machine. Then pulling there names via LDAP, and marrying that to my firewall logs.

However I'm not getting ip addresses and associated windows usernames within the same events.

I'm specifically monitoring dhcp log files in Windows. So that helps a bit. And I've made sure to allow logging of group policy events in Windows. However there's something I'm blind to right now.

Any help is appreciated.

0 Karma

kent_farries
Path Finder

I'm not sure I have enough to go on but here we go.

EventID/EventCode 4624 has both the user and IP address for the signature of "An account was successfully logged on".

You can run this search to see if you are getting 4624 events. If you are not you need to configure your Domain Controllers Advanced Audit Policy (Don't use Legacy if you can help it) for logon events. A good guide on how to setup Advanced Logging can be found by searching "Windows Logging Cheat Sheet".

index=wineventlog "Put the Username here or the IP Address"
| fillnull value=unknown
| stats count by user,src_ip,EventCode,signature

Now if you want to combine events with the Windows DHCP logs you can do something like this. I'm sure there is a better way (lookups) but you get the idea.

index=wineventlog "ipaddress of one of your systems"
| eval ip=coalesce(src_ip,Source_Address)
| join ip type=left
[ search index=windows sourcetype=DhcpSrvLog earliest=-2d latest=now()
| fields ip,dest_nt_host,nt_host]
| fillnull value=unknown
| stats count by user,ip,nt_host,dest_nt_host,EventCode,signature

Hope this helps

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...