Getting Data In
Highlighted

eDirectory events

New Member

Hi everyone,

Has anyone successfully captured audit events from the Novell Audit agent for eDirectory or IDM products? I am new to SPLUNK and wonder if this is possible. I have had a look at your free edition, and have setup a TCP listener on the correct port (1289) which forwards onto an index specifically for this event source type. I have configured the audit events from the eDirectory side and generated some sample events, yet nothing appears in SPLUNK under that index.

Is there some other steps to follow. Apologies in advance if I have missed something obvious as I am completely new to SPLUNK.

Thanks

Tags (1)
0 Karma
Highlighted

Re: eDirectory events

New Member

Anyone have any thoughts? Surely I am not the first to have tried this?

0 Karma
Highlighted

Re: eDirectory events

Builder
0 Karma
Highlighted

Re: eDirectory events

New Member

Thanks for the link Dave. I had come across that previously, however it doesn't seem to explain how this is setup. I have had a look at the associated link on the answer, but still no closer to understanding what I would need to change.

I am using the latest patches of Novell Audit on a fairly new Audit VM, sending events on port 1289. I have a Splunk free box setup listening on 1289 but it never receives any audit events.It might be I have missed something in Splunk as I am new to this product.

0 Karma
Highlighted

Re: eDirectory events

Ultra Champion

Hi, hopefully you have solved your problem by now, but in case you didn't... Two very important questions first;

  1. Are you sure that you are NOT getting the events?
  2. How did you check that?

You say you created a new index to store these events - but does your role have access rights to the index in question. Also, if you have, does this index get searched by default?
Go to Manager -> Access Controls -> Roles -> your role. At the bottom of the page you should find settings that control which indexes you can search.

Have you monitored network traffic on the port in question? Firewall in between?

Are the timestamps a possible source of trouble? If they are not parsed correctly, your events may end up in a different hour/day or even year. So running a search for 'last 60 min' may not be sufficient. Try a search for 'All time'.

Sorry if this seems like basic stuff - but these are probably the most common reasons why users do not see the events they are expecting to.

Hope this helps,

Kristian

0 Karma
Highlighted

Re: eDirectory events

New Member

Greetings;

I have a similiar eDirectory setup, and I am seeing LDAP data in my logs.

None of my ldap data is getting searched by my LDAP app, do I need to define a sourcetype?

My data currently contains "source=tcp:1289", and "sourcetype=syslog".

Thank you.

0 Karma
Highlighted

Re: eDirectory events

Motivator

You could use xdas, just use a pattern with no timestamp and index it as json.
I do a fair lot of edirectory and idm stuff if you need more...

0 Karma