Getting Data In

Deploying SPLUNK for Active Directory Auditing

splunk_sa
Explorer

I am very new to SPLUNK, If some one could help me on 2 issues I am having with Deploying Splunk for Active Directory Auditing.
some background of the Environment is = Windows 2012 Standard, Active Directory Forest and domain levels are 2008,
Auditing is turned on and logged in security logs in each domain controller, have about 100 domain controllers.
Splunk version is Splunk Enterprise 6.5.3.

Issue#1- Having issue installing splunkforwarder-6.5.3-36937ad027d4-x64-release.msi on windows 2012 standard domain controller. The installer starts normal, key in Splunk IP Address etc, copy file progress to about 75% and stops for ever. while installer is frozen for long itme, I see Splunkforwarder Service can be seen but not started I can start it. All looks normal, can see client registered in the splunk server. But as soon as the domain controller is rebooted, the Universal Forwarder gets Uninstalled. Bin directory empty and Splunkforwarder service throw error "cannot start fine not found.
This version should be supported on windows 2012 and windows 2012 R2.

Issue#2
I find multiple documents for Splunk for Active directory Auditing, Can some one point me to right one?
https://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/DeploytheSplunkAdd-onsforActiveDirectory

AND
http://docs.splunk.com/Documentation/MSExchange/3.4.1/DeployMSX/DeploytheSplunkAdd-onsforActiveDirec...

AND
http://docs.splunk.com/Documentation/ActiveDirectory/1.2.2/DeployAD/Deploymentprocess

Thanks a lot
regards

0 Karma

splunk_sa
Explorer

Thanks for your reply: I managed to get around the Forwarder install issue by using this command line install
msiexec.exe /i splunkforwarder-6.5.3-36937ad027d4-x64-release.msi /l*v splunkF.log
So for AD Auditing, we have appropriate Group policy Auditing turned on and we get that in Security event logs. We like to collect the AD Security logs which will help us to search, Active directory Auditing, who access, deleted, added to group ETC. Forwarding Event logs from a installed Forwarder is one thing but I am not clear how Splunk Add on for Active Directory OR Splunk App for Active Directory
play role in Active Directory Auditing. If I could only have one solid support document how to Audit your Active Directory Environment by Splunk that would be great.
thanks

0 Karma

adonio
Ultra Champion

when enabling the [admon://default]inputs stanza, you will collect AD data to splunk.
when enabling the [WinEventLog://Security] inputs stanza, you will collect the security logs
these stanzas are in the inputs.conf file in the TA's (AD and windows)
windows: https://splunkbase.splunk.com/app/742/
AD: https://splunkbase.splunk.com/app/3207/
place these apps on forwarders to collect data, on indexers to create the correct indexes for logs, and on search heads for search time field extractions and knowledge objects.
now when you have all the data you need, create searches. here is a small sample search that will return created accounts in AD:

sourcetype=WinEventLog:Security object_category="user" msad_action="created" 
| eval CreatedBy = mvindex(Security_ID,0) 
| table _time user CreatedBy ComputerName
0 Karma

adonio
Ultra Champion

hello splunk_sa,
will leave the forwarder issue for now and focus on the AD audit.
From little experience, i would advise to take a step back and first ask yourself, what is it that you want to audit.
then, will install the add-on following steps described here: http://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/ConfigureActiveDirectoryauditpolicy
now that you verified you have the data and you know the questions you have for this data, you can look if there are prebuilt reports and dashboards that answer those questions, or create your own.
hope it helps

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...