Splunk Search

How to create searches for a dashboard on Active Directory user activity?

akashjohn
Explorer

Hi Team,

We are trying to create a dashboard with couple of Active Directory user activities (like Login Success vs failure, Locked out accounts, Pwd expired accounts, Most active accounts etc). Could you please let us know how can we create Splunk searches to get this data?

0 Karma

sundareshr
Legend

@akashjohn if you have the data in splunk, look at this site for ideas for queries http://gosplunk.com/failed-versus-successful-logon-attempts/

If you don't have the data in splunk, check out this app https://splunkbase.splunk.com/app/1680/

0 Karma

akashjohn
Explorer

Hi Team,

We were not able to find any user activity logs in splunk. The methods which we tried are given below,
- index = main sourcetype = "security"​
- source=WinEventLog:security

Both of these methods are not providing the logs (one user's logs are available) as result in splunk query. So we are suspecting the logs are not seems to be porting to splunk server.

Could you please let us know which are the configurations we need to configure to send logs to splunk server on client server side?

We are assuming that AD server logs will be providing all the necessary data about AD user account related activities, if not please let us know in which are the servers we need to configure splunk configurations.

Thanks,
Akash John

0 Karma

rafamss
Contributor

The Active Directory generates logs locally on the machine on which it is deployed, with this, just get these logs of the servers and begin making some searchs. Some examples:

index = security sourcetype = adLog (error OR fail *) | stats count

You can get these data through this methods: monitor file system, by script or doing the upload file for Splunk.

Follow the source for configurate the AD log: https://technet.microsoft.com/en-us/library/cc961809.aspx

0 Karma

akashjohn
Explorer

Hi rafamss,

Thanks for the response. Unfortunately we were not able to find any logs as out put..

0 Karma
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...