Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to do LDAP audit/access logs integration with Splunk?

splunkpri
Explorer
‎03-11-2022 07:37 AM

Hi team,

I am new to Splunk please help me here

We have integrated one Algosec application with SPlunk Via Syslog method and collecting Audit logs

Means successful login/ unsuccessful login to Algosec Application. In logs we are getting only Algosec application IP but not source IP(Which is actually trying to login). We have checked in AD logs based on username, target IP(Algosec IP) as well but not able see any information of source IP. 

LDAP configuration is done on Algosec application

So my question is which method is useful to get actual source IP

1. Could I get Source IP in Ldap audit logs via event viewer. if yes then how I can forward this logs to Splunk from Event viewer

Windows Event Viewer > Applications and Services Logs > Directory Service

https://www.manageengine.com/products/active-directory-audit/how-to/images/how-to-audit-ldap-queries...

2. Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)- This Ad-on is useful to get LDAP audit logs to find out source IP

https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.3/User/AbouttheSplunkSupportingAdd-onforActi...

Labels (5)
Tags (2)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎03-15-2022 07:30 AM

 Could I get Source IP in Ldap audit logs via event viewer?

* I'm not sure if someone in the Splunk community knows about it. But this is more of a Windows/AD question.

 

if yes then how I can forward this logs to Splunk from Event viewer

* There is WinEventLog input that comes pre-bundled with Splunk that you can use.

* For example, Windows Defender logs present under Microsoft > Windows > Windows Defender > Operational logs on EventViewer. That you can collect with [WinEventLog:Microsoft-Windows-Windows Defender/Operational] input stanza.

* If you can see the details in EventViewer there seems like a way to get that into Splunk.

* Reference - https://docs.splunk.com/Documentation/Splunk/8.2.5/Data/MonitorWindowseventlogdata

 

On a side note please make sure you have read this, because chances are it already has answer to what you are looking for.

* Admon Inputs - https://docs.splunk.com/Documentation/Splunk/8.2.5/Data/MonitorActiveDirectory

* Windows Add-on - https://docs.splunk.com/Documentation/WindowsAddOn/8.1.2/User/AbouttheSplunkAdd-onforWindows

 

0 Karma
Reply

splunkpri
Explorer
‎03-13-2022 10:48 PM

Hi Team, Please update on this

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...
Top