Security

monitoring workstation domains from active directory

hazem
Path Finder

We have 500 domain workstations, and we have installed Splunk Universal Forwarders (UF) on the Active Directory server. The question is, how can we monitor the security logs of those workstations from the Universal Forwarder installed on the Active Directory server?

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @hazem ,

taking the logs from the DC, you have all the events from all the clients and you can have Security, System and Application logs.

Obviously you don't have local events e.g. local users accesses.

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hazem ,

having the UF on the Domain Controller you can monitor all the accesses to the DC from the clients but not the local events from each server.

To have local events, you have to install UF on each client.

Ciao.

Giuseppe

0 Karma

hazem
Path Finder

Hi @gcusello 

 

What stanza should I insert in inputs .conf to monitor all the client accesses to the DC?

and what do you mean by local events?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hazem ,

taking the logs from the DC, you have all the events from all the clients and you can have Security, System and Application logs.

Obviously you don't have local events e.g. local users accesses.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hazem ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

PickleRick
SplunkTrust
SplunkTrust

@gcuselloYou're confusing us a bit here 😉

Domain Controllers have their own logs. They reflect what's going on on those DCs. So they will contain the information about the domain activities but they will not contain the information about local activities on the workstations.

This distinction is important because if a user A tries to access a file share \\B\C$ logging in from workstation D, you will see domain Security events from Kerberos activity both from initial login to D as well as from B but you will not see whether - for example - if user A was actually granted access to the share \\B\C$ because he might have not simply been granted permissions to the share. It has nothing to do with the authentication process which involves the DC. Authorization here is a local thing and logs (I think you have to explicitly enable access auditing BTW) will not be available on the DC because logs by default are not "forwarded" anywhere.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @PickleRick ,

you said in a perfect way what I tried to explain: on DC there are the connection events (e.g. 4524 or 4634 etc...) but not the local events fron the clients.

For this reason I hinted to install the UF also on Clients and not only on DC.

Ciao and thanks for the details.

Giuseppe

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Each Windows computer gathers security events pertaining to this particular computer. So domain controllers log in all activity that occurs on them - domain log ins, domain log outs and so on. Workstations log into their own Security Eventlog events which occur on them - like local log ins and log outs.

So there is no way to get local events from those workstations by looking in the domain controllers' event logs. These are two separate things.

You need to ingest Security eventlogs from those workstations. You can get them either by installing UF on each of them and ingest local eventlog from each of those workstations or by setting up a WEF collector and setting up a forwarding policy so that you gather logs centrally. And from this central collector you'd pull them with a UF. There are also additional ways but these are the only two reasonable ones.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...