Re: How do you assign host value for ActiveDirecto...

Jason_1 · ‎03-18-2011

I have the 4.2 universal forwarder installed on an Active Directory DC, but have been unable to assign the fqdn as the host value for ActiveDirectory (splunk-admon) events. Setting host=fqdn in inputs.conf sets the correct host value for WinEventLog and WMI events, but not for ActiveDirectory. Tried setting host=fdqn in admon.conf but did not have any effect. Also tried the following transform but still had no effect...

$splunkhome/etc/system/local/props.conf

[ActiveDirectory] 
TRANSFORMS-rowandc = rowandc-host

$splunkhome/etc/system/local/transforms.conf

[rowandc-host]
DEST_KEY = MetaData:Host
REGEX = dcName=(\w*\.rowanads\.rowan\.edu)
FORMAT = host::$1

Sample data...

03/18/2011 11:25:50.073
dcName=ads4.rowanads.rowan.edu
admonEventType=Deleted
objectGuid=removed
distinguishedName=removed
host=ADS4      sourcetype=ActiveDirectory      source=ActiveDirectory

woodcock · ‎06-03-2015

That should work but you will need to restart every Indexer first (which you probably did not do). I would also use something like this instead of what you are using:

REGEX = dcName=(.*)[\r\n]

How do you assign host value for ActiveDirectory source?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation