Search for users in a log from a specific Active D...

kholleran · ‎07-30-2010

Hello,

I am asking a lot of questions today (obviously new to Splunk and in implementation...).

We do NOT use AD for Splunk authentication. What I would like to do is query a specific OU for a list of users, then use this list to search Security Event log of specific servers for logins.

Ultimately, we have vendors who are in an OU that restricts their access to specific servers. I would like to report on their activities weekly. These accounts change based on who we are working with from the vendor so by querying a specific OU, this would be dynamic as changes occur.

Can this be done?

Thanks.

Kevin

gkanapathy · ‎08-02-2010

You could use Splunk AD monitoring to log the contents of AD into Splunk. You could then query this directly and use the results in a subsearch to query the security log.

bnolen · ‎08-02-2010

You could possibly do this with a external lookup script that mapped the users names to their OU, and subsearch on OU membership. The problem with this approach could be the amount of overhead doing the lookups.

Search for users in a log from a specific Active Directory OU

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation