×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
v0c1
Observer
Member since: ‎08-09-2021
‎08-10-2021
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-09-2021
Activity Feed
Topics I've Started
View All

ms-Mcs-AdmPwd Plaintext in Splunk

by in Getting Data In
‎08-09-2021 11:28 PM
‎08-09-2021 11:28 PM
Hi 🙂 We use the Splunk Cloud which gets logs from two HFs, which get logs from many UFs. A few of those UFs live on our Domain Controllers, which interact to some extend with the LDAP-API and get notifications, everytime an AD-Object changes (https://www.splunk.com/en_us/blog/tips-and-tricks/working-with-active-directory-on-splunk-universal-forwarders.html). What now happens is, every time LAPS changes the passwords, the Computer-Object gets updated, the UF gets ahold of those Passwords and we can see them plaintext in Splunk Cloud. After discovering this, i added this to props.conf (Splunk\etc\system\local) on the HF and restarted the HF : [ActiveDirectory] SEDCMD-pwdmask = s/(ms\-Mcs\-AdmPwd\=).+/########/g And since this hasn't worked, I tried this : [ActiveDirectory] SEDCMD-anonymiseLaps = 's/ms-Mcs-AdmPwd\=.*/ms-Mcs-AdmPwd=####!!!!!#####/g' (Source: https://www.databl.io/anonymise-your-clear-text-laps-passwords-in-splunk/ - this describes the problem pretty well.) ...which hasn't worked either. We still see those Passwords. Has anybody encountered similar problems and/or has hints or possible solutions? Thanks in advance.  ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-10-2021 02:49 AM