Hi Team,
Recently we got an requirement from our internal teams to ingest the Active Directory logs into Splunk. Hence our Cluster Master, Search Heads & Indexers are hosted in Cloud and managed by Support.
Hence I have downloaded the add-on "Splunk Supporting Add-on for Active Directory" and installed in my Heavy Forwarder server and performed the configurations as mentioned in the Add-On. i.e.
Domain name : xyz
Alternate domain name : xyz
Base DN : xyz
LDAP Server
Hostname : xyz
Port : 389
SSL : I didnt enable the check box.
Credentials
Bind DN : Provided my admin account information
Password : Related Password
Connection Status : Test Succeeded
When clicked Save its not showing up as Saved.
Similarly we have installed the Add-On in our Search Heads as well but didn't perform any configurations since its in Cloud.
So post doing it when I went to search head and try to search the below queries as provided in the Add-on I am not getting the desired results else we are getting the error as below.
Search Query :
| ldaptestconnection domain="xyz"
Getting error as below :
External search command 'ldaptestconnection' returned error code 1. Script output = "error_message=Cannot find the configuration stanza for domain=xyz in ldap.conf. ".
Search Query :
| ldapsearch search="(objectClass=group)" attrs=distinguishedName
| ldapgroup
Getting error as below :
External search command 'ldapsearch' returned error code 1. Script output = "error_message=Missing required value for alternatedomain in ldap/default. ".
So is that anything missed in the configuration and why I am getting this error so kindly help on how to get it fixed.
Is anything i need to change in the configuration page which is installed in the Heavy Forwarder kindly let me know.
Similarly we have installed the Add-On in our Search Heads as well but didn't perform any configurations since its in Cloud.So post doing it when I went to search head and try to search the below queries as provided in the Add-on I am not getting the desired results else we are getting the error as below.
Search Query :
| ldaptestconnection domain="xyz"
Getting error as below :
External search command 'ldaptestconnection' returned error code 1. Script output = "error_message=Cannot find the configuration stanza for domain=xyz in ldap.conf. ".
Search Query :
| ldapsearch search="(objectClass=group)" attrs=distinguishedName
| ldapgroupGetting error as below :
External search command 'ldapsearch' returned error code 1. Script output = "error_message=Missing required value for alternatedomain in ldap/default. ".
These errors occur because the add-on was not configured on the search head. The add-on must be configured before it can be used.
You don't need this add-on to ingest AD logs. Simply install a Universal Forwarder on the AD server and configure it to use WinEventLog inputs. See https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/MonitorWindowseventlogdata#Monitor_Windows_e...for details.
Thank you for your inputs.
Actually our requirement is from our Security team is to ingest the Asset List information from Active Directory so kindly let me know how can we achieve this.
FYI we already have installed the Universal Forwarder in our Domain Controller servers and we are ingesting the WinEvent Logs into Splunk. i.e. Application, System & Security so additionally how can we ingest the Asset data into Splunk.
That's something the ldapsearch command can help with. First, you'll need to craft a search that returns asset information. Your Security Team should be able to help with that. Do this on the HF.
Once you have a working search, add a collect command to save the results to an index. Use an index specific to this purpose, with a short retention time (7 days or less). The index is used to transfer the data from the HF to the indexers. The short retention time keeps storage usage low.
Configure the search to run on a regular schedule. Daily probably is good.
Create another search on the Cloud SH that reads the index used above and uses the outputlookup command to save the assets to a lookup table. This puts the assets into a form that is easier to use. Schedule the search to run after the ldapsearch query.
Thanks for your response.
But how to initially integrate and bring the asset information to Splunk ? i.e. Is there any add-on to pull or do we need to configure from Domain Controller servers and pull the required asset information. Kindly let me know.
So i am struck up in the initial setup itself so kindly help on the same if possible
The asset information is collected from AD by the ldapsearch command. Of course, you must first configure the SA-ldapsearch add-on. Work with your AD team to do that as they should have the information you need.
Thank you for your response.
Right now I have installed the add-on "Splunk Supporting Add-on for Active Directory" in our Heavy Forwarder server and done the configurations and now as per the query provided below now the logs are seen in our Heavy Forwarder server.
| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" attrs="distinguishedName,objectCategory"
| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))"
| search userAccountControl="NORMAL_ACCOUNT"
| eval suffix=""
| eval priority="medium"
| eval category="normal"
| eval watchlist="false"
| eval endDate=""
| table sAMAccountName, personalTitle, displayName, givenName, sn, suffix, mail, telephoneNumber,
mobile, manager, priority, department, category, watchlist, whenCreated, endDate
| rename sAMAccountName as identity, personalTitle as prefix, displayName as nick,
givenName as first, sn as last, mail as email, telephoneNumber as phone,
mobile as phone2, manager as managedBy, department as bunit, whenCreated as startDate
So similarly I have installed the Add-on in my Splunk Search Head which is hosted in AWS Cloud and I have done the configuration similar like HF server and when i search the same query i am getting the error as below.
The error message reported by the search head may be because the server name in the configuration works fine within the corporate network, but is not useable from outside the network. Perhaps an alternative name/address is available?
It's possible the network won't allow connections from outside sources to the LDAP server. Work with your network team to resolve that or continue to use ldapsearch on the HF.
You may not need to set up ldapsearch on the Cloud SH. Since you have a working search on the HF, add a collect command to save the results to an index. Use an index specific to this purpose (called, for example, "ldap_data"), with a short retention time (7 days or less). The index is used to transfer the data from the HF to the indexers. The short retention time keeps storage usage low.
Configure the search to run on a regular schedule. Daily probably is good.
Create another search on the Cloud SH that reads the index used above and uses the outputlookup command to save the assets to a lookup table. This puts the assets into a form that is easier to use. Schedule the search to run after the ldapsearch query.