Getting Data In

Deploying SPLUNK for Active Directory Auditing


I am very new to SPLUNK, If some one could help me on 2 issues I am having with Deploying Splunk for Active Directory Auditing.
some background of the Environment is = Windows 2012 Standard, Active Directory Forest and domain levels are 2008,
Auditing is turned on and logged in security logs in each domain controller, have about 100 domain controllers.
Splunk version is Splunk Enterprise 6.5.3.

Issue#1- Having issue installing splunkforwarder-6.5.3-36937ad027d4-x64-release.msi on windows 2012 standard domain controller. The installer starts normal, key in Splunk IP Address etc, copy file progress to about 75% and stops for ever. while installer is frozen for long itme, I see Splunkforwarder Service can be seen but not started I can start it. All looks normal, can see client registered in the splunk server. But as soon as the domain controller is rebooted, the Universal Forwarder gets Uninstalled. Bin directory empty and Splunkforwarder service throw error "cannot start fine not found.
This version should be supported on windows 2012 and windows 2012 R2.

I find multiple documents for Splunk for Active directory Auditing, Can some one point me to right one?



Thanks a lot

0 Karma


Thanks for your reply: I managed to get around the Forwarder install issue by using this command line install
msiexec.exe /i splunkforwarder-6.5.3-36937ad027d4-x64-release.msi /l*v splunkF.log
So for AD Auditing, we have appropriate Group policy Auditing turned on and we get that in Security event logs. We like to collect the AD Security logs which will help us to search, Active directory Auditing, who access, deleted, added to group ETC. Forwarding Event logs from a installed Forwarder is one thing but I am not clear how Splunk Add on for Active Directory OR Splunk App for Active Directory
play role in Active Directory Auditing. If I could only have one solid support document how to Audit your Active Directory Environment by Splunk that would be great.

0 Karma

Ultra Champion

when enabling the [admon://default]inputs stanza, you will collect AD data to splunk.
when enabling the [WinEventLog://Security] inputs stanza, you will collect the security logs
these stanzas are in the inputs.conf file in the TA's (AD and windows)
place these apps on forwarders to collect data, on indexers to create the correct indexes for logs, and on search heads for search time field extractions and knowledge objects.
now when you have all the data you need, create searches. here is a small sample search that will return created accounts in AD:

sourcetype=WinEventLog:Security object_category="user" msad_action="created" 
| eval CreatedBy = mvindex(Security_ID,0) 
| table _time user CreatedBy ComputerName
0 Karma

Ultra Champion

hello splunk_sa,
will leave the forwarder issue for now and focus on the AD audit.
From little experience, i would advise to take a step back and first ask yourself, what is it that you want to audit.
then, will install the add-on following steps described here:
now that you verified you have the data and you know the questions you have for this data, you can look if there are prebuilt reports and dashboards that answer those questions, or create your own.
hope it helps

0 Karma
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

Stay Connected: Your Guide to March Tech Talks, Office Hours, and Webinars!

🍀 A new season is on the horizon, and March brings fresh opportunities to grow! Our Community Office ...

Welcome AppDynamics to Splunk Community Sweepstakes

SWEEPSTAKES OFFICIAL RULES The Welcome Appdynamics to Splunk Community Sweepstakes Official Rules NO PURCHASE ...