Getting Data In

Can you help me with a dhcp user monitoring issue on a Windows Active Directory (AD) Server?

TitanAE
New Member

I have a Windows AD Server that I'm monitoring in my home Splunk lab. I'm also collecting Syslog Data from my firewall. My hope was to see users traversing the network and pulling a dhcp address from their machine. Then pulling there names via LDAP, and marrying that to my firewall logs.

However I'm not getting ip addresses and associated windows usernames within the same events.

I'm specifically monitoring dhcp log files in Windows. So that helps a bit. And I've made sure to allow logging of group policy events in Windows. However there's something I'm blind to right now.

Any help is appreciated.

0 Karma

kent_farries
Path Finder

I'm not sure I have enough to go on but here we go.

EventID/EventCode 4624 has both the user and IP address for the signature of "An account was successfully logged on".

You can run this search to see if you are getting 4624 events. If you are not you need to configure your Domain Controllers Advanced Audit Policy (Don't use Legacy if you can help it) for logon events. A good guide on how to setup Advanced Logging can be found by searching "Windows Logging Cheat Sheet".

index=wineventlog "Put the Username here or the IP Address"
| fillnull value=unknown
| stats count by user,src_ip,EventCode,signature

Now if you want to combine events with the Windows DHCP logs you can do something like this. I'm sure there is a better way (lookups) but you get the idea.

index=wineventlog "ipaddress of one of your systems"
| eval ip=coalesce(src_ip,Source_Address)
| join ip type=left
[ search index=windows sourcetype=DhcpSrvLog earliest=-2d latest=now()
| fields ip,dest_nt_host,nt_host]
| fillnull value=unknown
| stats count by user,ip,nt_host,dest_nt_host,EventCode,signature

Hope this helps

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!