Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- LDAP Search / Active Directory App Monitor Changes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LDAP Search / Active Directory App Monitor Changes
How can I use Splunk to alert / run reports on group member changes?
Currently I have something I wrote that reads group members from AD, stores in DB then runs a differential. Seems like splunk would be ideal for this. Is there a way to run a search and diff from the previous run?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bump?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes you can. You can bring your AD logs to Splunk using the following app
Using ldapsearch command, and with a bit of SPL magic, you can customise the data that you want to pull from AD.
Since Splunk will store your old, as well as new data, you can easily compare them and schedule alerts, reports, create tickets in a ITSM ticketing tool like Servicenow, Remedy etc and much more.
Hope this helps,
S
Note: If it helped, please mark this as an accepted answer.
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes i already was able to pull the information. the other things you referenced I do not follow. I'm really trying to get a little more information on the how ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you can give some sample data, which has the data of pre and post group changes, we can help you to build the search.
I believe an EventCode is being generated, everytime there's some changes in the OU. Like 4727 for a group creation, 4728 when a member is added, 4729 if a member is removed and so on.
If that's the case, I'd look out for those eventcodes and use the table command to pipe the required values in tabular format.
Again, some sample data and more light on what you want to achieve will be helpful.
Thanks,
S
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
