Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get Windows domain log in data

Bill_B
Communicator
‎01-28-2014 03:18 PM

Hi All,

I am trying to collect data for Windows log on/off time, user and machine. I am running Splunk enterprise 6 on a linux. Is there any "easy" way to get this data to splunk without using forwarders or splunk app for active directory?

Thanks.

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎01-28-2014 04:25 PM

You can monitor a variety of Windows data without a forwarder, but there are tradeoffs to using WMI. Have you looked at the Windows data information in the Getting Data In manual? It has information about WMI and ActiveDirectory, as well as event logs, registry, host, and performance data.

Reply

lukejadamec
Super Champion
‎01-29-2014 07:00 PM

Yer welcome, but be warned. Trying to monitor logon logoff transactions with Anything is fraught with peril because Windows often times loses the logoff part. Perhaps with the 6.1 Splunk you can create a knowledge object that associates a system shutdown with a logoff, but I've not tried it.

0 Karma
Reply

Bill_B
Communicator
‎01-29-2014 06:30 PM

Thanks for the response! 🙂

0 Karma
Reply

lukejadamec
Super Champion
‎01-28-2014 04:39 PM

You don't need the active directory app to monitor user authentication by the domain controllers, but you do need the windows security log on the domain controllers. WMI can work, but WMI is not as reliable as ChrisG mentioned.
Also, monitoring only domain controllers will not show you local account logon events.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...