We are trying to create a dashboard with couple of Active Directory user activities (like Login Success vs failure, Locked out accounts, Pwd expired accounts, Most active accounts etc). Could you please let us know how can we create Splunk searches to get this data?
@akashjohn if you have the data in splunk, look at this site for ideas for queries http://gosplunk.com/failed-versus-successful-logon-attempts/
If you don't have the data in splunk, check out this app https://splunkbase.splunk.com/app/1680/
We were not able to find any user activity logs in splunk. The methods which we tried are given below,
- index = main sourcetype = "security"
Both of these methods are not providing the logs (one user's logs are available) as result in splunk query. So we are suspecting the logs are not seems to be porting to splunk server.
Could you please let us know which are the configurations we need to configure to send logs to splunk server on client server side?
We are assuming that AD server logs will be providing all the necessary data about AD user account related activities, if not please let us know in which are the servers we need to configure splunk configurations.
The Active Directory generates logs locally on the machine on which it is deployed, with this, just get these logs of the servers and begin making some searchs. Some examples:
index = security sourcetype = adLog (error OR fail *) | stats count
You can get these data through this methods: monitor file system, by script or doing the upload file for Splunk.
Follow the source for configurate the AD log: https://technet.microsoft.com/en-us/library/cc961809.aspx