Pretty new to all this.
I've got a Splunk 6.5.1 environment gathering data from Windows servers/desktops and Active Directory (AD). Need to create a search that will show me all login attempts and successes by members of the Domain Admins group. I can search data about the logins and I can get group membership via SA-LDAPSearch. How do I make the info about the Domain Admin group members available to the logins search?
to search login,logout and logfail events you have to insert in your search (eventually using a lookup) the following EventIds:
528, 529, 530, 531, 532, 533, 534, 535, 536, 537, 538, 539, 540, 4624, 4625, 4634, 4647, 4648, 4672, 4675, 4771, 17055, 18450, 18451, 18452, 18453, 18454, 18455, 18456, 18457, 18458, 18459, 18460, 18461, 24001, 24002, 24003 (the last ones are for Exchange and SQL Server).
Beware to duplicated Login Events: each access generates many login events, so you have to filter them using dedup or transaction commands.
Thanks for this. I've looked through it and it will get me the info I want based on the current Domain Admins group. I am hoping there's a way to update the information from Domain Admins each time I run the query.