Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for logon/logoff activity of domain admins

dhrechkosy
Explorer
‎02-10-2017 08:26 AM

Trying to figure out how to search for all logon/logoff attempts by any users in the "Domain Admins" group in active directory. I am currently using Splunk Light 6.5.2 and forwarding the security log events from one single domain controller to Splunk.

What would be a proper search string to use to find account logon/logoff activity for domain admins? Will I need to do a general search for all logon and logoff activity and then filter it to the specific users I'm looking for?

There are 3 staff in the domain admins group as well as the built in domain-administrator account. Management wants me to find a way to track logs for every logon/logoff for these four accounts.

Any suggestions will be helpful as I'm still quite new to this software.

Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-11-2017 01:41 AM

You could add your domain admins to a lookup file/table.
Using a sub search you could read your list of users using inputlookup and then in the main search look for login events.

tag=authentication tag=login [search inputlookup admin_users.csv]

(I'm not near a system with windows logs to test/get you proper syntax but hopefully that gives you enough)

If my comment helps, please give it a thumbs up!

View solution in original post

Reply
Solved! Jump to solution

viscarra
Engager
‎12-18-2024 11:48 AM

 

Hi do you mind sharing the search string/spl you used to the the AD login information?

Thank you!

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-11-2017 01:41 AM

You could add your domain admins to a lookup file/table.
Using a sub search you could read your list of users using inputlookup and then in the main search look for login events.

tag=authentication tag=login [search inputlookup admin_users.csv]

(I'm not near a system with windows logs to test/get you proper syntax but hopefully that gives you enough)

If my comment helps, please give it a thumbs up!
Reply
Solved! Jump to solution

dhrechkosy
Explorer
‎02-13-2017 06:55 AM

Perfect I will try this suggestion. Do you know where the admin_users.csv file will need to be placed in order for splunk to recognize it when I run this sub search?

0 Karma
Reply
Solved! Jump to solution

dhrechkosy
Explorer
‎02-13-2017 07:38 AM

Just a few more questions/clarifications needed:

For the two tags you mentioned "authentication" and "login" what field should those correspond to?

I set authentication to EventCode=4634 and EventCode=4672, not sure if thats right and not certain what login should be set as.

For the admin_users.csv file what is the format it should be in? Currently I just had an empty csv file with:

Username
Username
Username

Should there be any special formatting inside the .csv file to list the domain admin names properly?

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎02-13-2017 08:45 AM

your CSV will need to contain a header row, and you may find it useful to drop some friendly names in too.

username, firstname, surname
bob.jones, bob, jones
user662237, mike, smith

etc.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

dhrechkosy
Explorer
‎02-13-2017 08:52 AM

Hi Nick,

Thanks looks like I have that all figured out now. As for the tags what field value pairs do you recommend?

authentication:

login:

0 Karma
Reply
Solved! Jump to solution

dhrechkosy
Explorer
‎02-13-2017 07:08 AM

Thank you!

0 Karma
Reply
Solved! Jump to solution

starcher
Influencer
‎02-11-2017 04:24 AM

This is the easiest being new. Longer term you could make a lookup table inspired by the Enterprise Security app format for identities.
http://docs.splunk.com/Documentation/ES/4.6.0/User/AssetandIdentityLookupReference

Then apply it as an auto lookup on the sourcetype of those logs.
http://docs.splunk.com/Documentation/SplunkCloud/6.5.1612/Knowledge/Makeyourlookupautomatic

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...