Getting Data In

Splunk Supporting Add-on for Active Directory Issue?

anandhalagaras1
Contributor

Hi Team,

 

Recently we got an requirement from our internal teams to ingest the Active Directory logs into Splunk.  Hence our Cluster Master, Search Heads & Indexers are hosted in Cloud and managed by Support. 

Hence I have downloaded the add-on "Splunk Supporting Add-on for Active Directory" and installed in my Heavy Forwarder server and performed the configurations as mentioned in the Add-On. i.e.

Domain name : xyz

Alternate domain name : xyz

Base DN : xyz

LDAP Server
Hostname : xyz
Port : 389
SSL : I didnt enable the check box.

Credentials
Bind DN : Provided my admin account information
Password : Related Password

Connection Status : Test Succeeded

When clicked Save its not showing up as Saved. 

Similarly we have installed the Add-On in our Search Heads as well but didn't perform any configurations since its in Cloud.

So post doing it when I went to search head and try to search the below queries as provided in the Add-on I am not getting the desired results else we are getting the error as below.

 

Search Query :

| ldaptestconnection domain="xyz"

Getting error as below :

External search command 'ldaptestconnection' returned error code 1. Script output = "error_message=Cannot find the configuration stanza for domain=xyz in ldap.conf. ".

 

Search Query :

| ldapsearch search="(objectClass=group)" attrs=distinguishedName
| ldapgroup

Getting error as below :

External search command 'ldapsearch' returned error code 1. Script output = "error_message=Missing required value for alternatedomain in ldap/default. ".

So is that anything missed in the configuration and why I am getting this error so kindly help on how to get it fixed.

Is anything i need to change in the configuration page which is installed in the Heavy Forwarder kindly let me know.

 

 

 

Labels (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Similarly we have installed the Add-On in our Search Heads as well but didn't perform any configurations since its in Cloud.

So post doing it when I went to search head and try to search the below queries as provided in the Add-on I am not getting the desired results else we are getting the error as below.

 

Search Query :

| ldaptestconnection domain="xyz"

Getting error as below :

External search command 'ldaptestconnection' returned error code 1. Script output = "error_message=Cannot find the configuration stanza for domain=xyz in ldap.conf. ".

 

Search Query :

| ldapsearch search="(objectClass=group)" attrs=distinguishedName
| ldapgroup

Getting error as below :

External search command 'ldapsearch' returned error code 1. Script output = "error_message=Missing required value for alternatedomain in ldap/default. ".

These errors occur because the add-on was not configured on the search head.  The add-on must be configured before it can be used.

You don't need this add-on to ingest AD logs.  Simply install a Universal Forwarder on the AD server and configure it to use WinEventLog inputs.  See https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/MonitorWindowseventlogdata#Monitor_Windows_e...for details.

---
If this reply helps you, Karma would be appreciated.
0 Karma

anandhalagaras1
Contributor

@richgalloway ,

Thank you for your inputs.

Actually our requirement is from our Security team is to ingest the Asset List information from Active Directory so kindly let me know how can we achieve this.

FYI we already have installed the Universal Forwarder in our Domain Controller servers and we are ingesting the WinEvent Logs into Splunk. i.e. Application, System & Security so additionally how  can we ingest the Asset data into Splunk.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That's something the ldapsearch command can help with.  First, you'll need to craft a search that returns asset information.  Your Security Team should be able to help with that.  Do this on the HF.

Once you have a working search, add a collect command to save the results to an index.  Use an index specific to this purpose, with a short retention time (7 days or less).  The index is used to transfer the data from the HF to the indexers.  The short retention time keeps storage usage low.

Configure the search to run on a regular schedule.  Daily probably is good.

Create another search on the Cloud SH that reads the index used above and uses the outputlookup command to save the assets to a lookup table.  This puts the assets into a form that is easier to use.  Schedule the search to run after the ldapsearch query.

---
If this reply helps you, Karma would be appreciated.
0 Karma

anandhalagaras1
Contributor

@richgalloway ,

Thanks for your response.

But how to initially integrate and bring the asset information to Splunk ? i.e. Is there any add-on to pull or do we need to configure from Domain Controller servers and pull the required asset information. Kindly let me know.

So i am struck up in the initial setup itself so kindly help on the same if possible

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The asset information is collected from AD by the ldapsearch command.  Of course, you must first configure the SA-ldapsearch add-on.  Work with your AD team to do that as they should have the information you need.

---
If this reply helps you, Karma would be appreciated.
0 Karma

anandhalagaras1
Contributor

@richgalloway ,

Thank you for your response.

Right now I have installed the add-on "Splunk Supporting Add-on for Active Directory" in our Heavy Forwarder server and done the configurations and now as per the query provided below now the logs are seen in our Heavy Forwarder server.

| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" attrs="distinguishedName,objectCategory"

 

| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))"
| search userAccountControl="NORMAL_ACCOUNT"
| eval suffix=""
| eval priority="medium"
| eval category="normal"
| eval watchlist="false"
| eval endDate=""
| table sAMAccountName, personalTitle, displayName, givenName, sn, suffix, mail, telephoneNumber,
mobile, manager, priority, department, category, watchlist, whenCreated, endDate
| rename sAMAccountName as identity, personalTitle as prefix, displayName as nick,
givenName as first, sn as last, mail as email, telephoneNumber as phone,
mobile as phone2, manager as managedBy, department as bunit, whenCreated as startDate

 

So similarly I have installed the Add-on in my Splunk Search Head which is hosted in AWS Cloud and I have done the configuration similar like HF server and when i search the same query i am getting the error as below.

External search command 'ldapsearch' returned error code 1. Script output = "error_message=invalid server address ".
 
So do we need to open any ports to establish connection between LDAP server and Splunk Search Head Cloud? 
 
 
In the below link a few information is provided:
 
If you're Configuring SA-ldapsearch on the search head in a cloud environment, then it must have the connectivity between the LDAP server and the search head.
 
So kindly help on how to get the logs in our Search head as well.
 

 

 

richgalloway
SplunkTrust
SplunkTrust

The error message reported by the search head may be because the server name in the configuration works fine within the corporate network, but is not useable from outside the network.  Perhaps an alternative name/address is available?

It's possible the network won't allow connections from outside sources to the LDAP server.  Work with your network team to resolve that or continue to use ldapsearch on the HF.

You may not need to set up ldapsearch on the Cloud SH.  Since you have a working search on the HF, add a collect command to save the results to an index.  Use an index specific to this purpose (called, for example, "ldap_data"), with a short retention time (7 days or less).  The index is used to transfer the data from the HF to the indexers.  The short retention time keeps storage usage low.

Configure the search to run on a regular schedule.  Daily probably is good.

Create another search on the Cloud SH that reads the index used above and uses the outputlookup command to save the assets to a lookup table.  This puts the assets into a form that is easier to use.  Schedule the search to run after the ldapsearch query.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...