Collecting logon/logoff logs from Active Directory and put them into Splunk


Hi all!

My managment wants that we collect all logon and logoff attempts into Windows PCs. We have Active Directory at our company.
Could anyone advice how to log logon/logoff attempts and upload this log into Splunk?

Thanks in advance.

Tags (2)


Active directory does not log true logoff events at the Domain Controller. The "logoff" events that are recorded at the server have more to do with network sessions and often don't accurately reflect users logging on and off of a desktop. Often these prove to be more noise than useful, actionable information. The only way to accurately to this is to somehow collect event logs from individual workstations.

Option 1 -- Universal Forwarders and Deployment Server

Installing the Universal Forwarder on all workstations is still the ideal in a number of ways, but it's understandable if you don't want to deploy and maintain it to that degree. However, if you are willing to consider that approach, be aware that there are several ways to reduce the level of pain rolling it out, so the "there are a lot of users" may not be as bad an issue as you think. It's very scriptable -- for one example script, look at this blog post. Then, use the Deployment Server to manage configuration.

Option 2 -- Windows Event Forwarding + GPO + Splunk Forwarder

If, however, that's just not doable, you may wish to explore Windows Event Forwarding. You should be able to set up a collector running Win2008 or higher, then create a Group Policy Object to have the machines send their data to the collector. Install a Splunk heavy forwarder on the collector to get the data to Splunk. The second link below has you use a Universal Forwader, but I'd lean toward use of a heavy forwarder for this.

Take a look at these:
- Quick and Dirty Large Scale Eventing for Windows
- Forwarding Windows Event Logs to another host
- Configure Computers to Forward and Collect Events

The big advantages is not having to deploy and maintain the Universal Forwarders, and being able to leverage built-in functionality and GPO configuration. The downsides are having another type of forwarding to maintain, having to maintain the additional server and heavy forwarder configuration, and having to enable the WinRM service.

Other Alternatives

Other options do exist. Adiscon makes a syslog-based forwarding agent, but you're right back to having to deploy and maintain a third party agent. Some of the other Microsoft tools like SCCM might have a way to do it, or you can explore WMI-based polling. But none of these options will be as good as either of the above.


The outline of the solution is:
1. Install Splunk Universal Forwarder, or Splunk Heavy Forwarder or some other log agent eg nxlog, syslog on all of your DCs.
2. Configure the software to monitor the Windows Security Event logs for events of interest; drop everything else (configure either props/transforms on the Heavy Forwarder or on the Indexer).
3. Send the data to your Splunk Indexers.
4. Use the sample query provided above: by lukejadamec Sep 03, 2013 at 05:58 AM

0 Karma

Super Champion

Try this. It will collect all types of logins, but it removes System Account logons by excluding those with a $.

Also, I'm not sure what your presentation ideas were, so used a simple table.

Lastly, I included some information about each of the event codes used. Note that the smaller event codes are for older systems, and the 4000 series is for newer systems.

You will probably run into problems because you are not collecting data from all systems. If an account does not authenticate with your Domain Controllers then you won't see the logon, ex: local accounts.

source="wineventlog:security"  EventCode=528 OR EventCode=540 OR EventCode=4624 OR (EventCode=4776 Error_Code=0x0) NOT Account_Name="*$"  NOT Logon_Account="*$" NOT User_Name="*$" | eval Account_Name=mvindex(Account_Name,1) |  eval User=coalesce(Account_Name,Logon_Account,Logon_account,User_Name) | eval User=lower(User) |table _time,User,EventCode

Event Code 528 / 4624 - logged whenever an account logs on to the local computer, except in the event of network logons (see Event Code 540).

Event Code 540 / 4624 - whenever a user logged on elsewhere on the network connects to a resource including IIS.

Event Code 4776 - The domain controller attempted to validate the credentials for an account.

Event Code 680 - Account used for logon by / with an error code of 0x0.


It's unreal to install Splunk forwarder to all Windows PCs - there are a lot of users. I think that the easiest way is to collect this log from all PCs in one place and upload it to Splunk.
It doesn't matter of logon types. I will to try on interactive logon.
We have Win 2000-2003-XP-7-8-2008 "Full house" 🙂

0 Karma

Super Champion

There are a few ways to do this. Do you have forwarders installed on all of your systems? What types of logons are you interested in (there are 9)? What versions of Windows are you using in the network you want to monitor?

Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...