Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me with a dhcp user monitoring issue on a Windows Active Directory (AD) Server?

TitanAE
New Member
‎09-12-2018 08:00 AM

I have a Windows AD Server that I'm monitoring in my home Splunk lab. I'm also collecting Syslog Data from my firewall. My hope was to see users traversing the network and pulling a dhcp address from their machine. Then pulling there names via LDAP, and marrying that to my firewall logs.

However I'm not getting ip addresses and associated windows usernames within the same events.

I'm specifically monitoring dhcp log files in Windows. So that helps a bit. And I've made sure to allow logging of group policy events in Windows. However there's something I'm blind to right now.

Any help is appreciated.

0 Karma
Reply

kent_farries
Path Finder
‎09-18-2018 02:57 PM

I'm not sure I have enough to go on but here we go.

EventID/EventCode 4624 has both the user and IP address for the signature of "An account was successfully logged on".

You can run this search to see if you are getting 4624 events. If you are not you need to configure your Domain Controllers Advanced Audit Policy (Don't use Legacy if you can help it) for logon events. A good guide on how to setup Advanced Logging can be found by searching "Windows Logging Cheat Sheet".

index=wineventlog "Put the Username here or the IP Address"
| fillnull value=unknown
| stats count by user,src_ip,EventCode,signature

Now if you want to combine events with the Windows DHCP logs you can do something like this. I'm sure there is a better way (lookups) but you get the idea.

index=wineventlog "ipaddress of one of your systems"
| eval ip=coalesce(src_ip,Source_Address)
| join ip type=left
[ search index=windows sourcetype=DhcpSrvLog earliest=-2d latest=now()
| fields ip,dest_nt_host,nt_host]
| fillnull value=unknown
| stats count by user,ip,nt_host,dest_nt_host,EventCode,signature

Hope this helps

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...