- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Monitoring User Activity in Active Directory
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monitoring User Activity in Active Directory
How do I monitor user account creation in AD?
I need to accomplish the following:
- Who created the user?
- What privileges were given to the new user?
- What did the user do with the account once the account was created?
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please confirm about your windows server environment ? You can configure the auditing policy to track all the activities made in active directory by users. Please refer to this link that will assist you in right direction about how to enable auditing policy in active directory : http://support.microsoft.com/kb/814595
In addition, you can have a look at this automated solution available at (www.lepide.com/active-directory-audit/) that seems to be more suitable option and can be a better alternative approach that covers all the aspects you have mentioned in your description. It monitor all the activities made in active directory at granular level and alerts instantly by sending customized email report of all critical changes with real time monitoring.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If Splunk can do all this - why would you invest in another 3rd party solution?
JD
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just monitoring your DCs security logs while executing the tasks will help you figure out the event codes you need to index. Note that win2003 and win2008 security logs have different event codes
For account changes in 2k8 DC (created,deleted,disabled etc) look for the events 4722,4725,4720,4726,4740,4767.
If you're short on bandwidth then be warned that AD security log is huge so rex your winsecurity logs in the transforms.conf and allow only eventcodes you want to get through.
You should try infigo's windows security app also
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This will help you get started with AD monitoring.
http://docs.splunk.com/Documentation/Splunk/latest/Data/AuditActiveDirectory
Splunk is also working on a Splunk for Microsoft Active Directory application as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you.
I had read the documentation severally prior to posting.
I however am not a Windows man and could use some help.
The *nix app is fine for telling me who logged in, lastlog parsing and so on, but I need to be able to forward only what I specified in the initial post to the indexer.
The Windows deployment is set up as a heavy forwarder.
Any Windows gurus out there?
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
