Splunk Search
Highlighted

Search for users in a log from a specific Active Directory OU

Communicator

Hello,

I am asking a lot of questions today (obviously new to Splunk and in implementation...).

We do NOT use AD for Splunk authentication. What I would like to do is query a specific OU for a list of users, then use this list to search Security Event log of specific servers for logins.

Ultimately, we have vendors who are in an OU that restricts their access to specific servers. I would like to report on their activities weekly. These accounts change based on who we are working with from the vendor so by querying a specific OU, this would be dynamic as changes occur.

Can this be done?

Thanks.

Kevin

Highlighted

Re: Search for users in a log from a specific Active Directory OU

Path Finder

You could possibly do this with a external lookup script that mapped the users names to their OU, and subsearch on OU membership. The problem with this approach could be the amount of overhead doing the lookups.

0 Karma
Highlighted

Re: Search for users in a log from a specific Active Directory OU

Legend

You could use Splunk AD monitoring to log the contents of AD into Splunk. You could then query this directly and use the results in a subsearch to query the security log.