Getting Data In

How to get Windows domain log in data

Bill_B
Communicator

Hi All,

I am trying to collect data for Windows log on/off time, user and machine. I am running Splunk enterprise 6 on a linux. Is there any "easy" way to get this data to splunk without using forwarders or splunk app for active directory?

Thanks.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

You can monitor a variety of Windows data without a forwarder, but there are tradeoffs to using WMI. Have you looked at the Windows data information in the Getting Data In manual? It has information about WMI and ActiveDirectory, as well as event logs, registry, host, and performance data.

lukejadamec
Super Champion

Yer welcome, but be warned. Trying to monitor logon logoff transactions with Anything is fraught with peril because Windows often times loses the logoff part. Perhaps with the 6.1 Splunk you can create a knowledge object that associates a system shutdown with a logoff, but I've not tried it.

0 Karma

Bill_B
Communicator

Thanks for the response! 🙂

0 Karma

lukejadamec
Super Champion

You don't need the active directory app to monitor user authentication by the domain controllers, but you do need the windows security log on the domain controllers. WMI can work, but WMI is not as reliable as ChrisG mentioned.
Also, monitoring only domain controllers will not show you local account logon events.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...