- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get Windows domain log in data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can monitor a variety of Windows data without a forwarder, but there are tradeoffs to using WMI. Have you looked at the Windows data information in the Getting Data In manual? It has information about WMI and ActiveDirectory, as well as event logs, registry, host, and performance data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yer welcome, but be warned. Trying to monitor logon logoff transactions with Anything is fraught with peril because Windows often times loses the logoff part. Perhaps with the 6.1 Splunk you can create a knowledge object that associates a system shutdown with a logoff, but I've not tried it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response! 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You don't need the active directory app to monitor user authentication by the domain controllers, but you do need the windows security log on the domain controllers. WMI can work, but WMI is not as reliable as ChrisG mentioned.
Also, monitoring only domain controllers will not show you local account logon events.
