How can an alert be triggered when a user account is used to connect to vpn from Internal and then used to log on to a workstation in domain network within a close time range? (ie: in 5 mins range)
Suppose that check point logs and windows security logs have been collected.
... View more
In my test environment,
1 Domain controller windows server 2012 r2 , ip 172.16.1.10 , fqdn=spdc.nwtraders.msft
1 member server(windows server 2008 r2, .net 45 is installed , powershell 3 is installed) which splunk(splunk-6.1.3-220630-x64-release.msi) runs on it.
I have installed universal forwarder(splunkforwarder-6.1.3-220630-x64-release) on domain controller and have copied SA-ModularInput-PowerShell, Splunk_TA_windows, TA-DNSServer-NT6, TA-DomainController-2012R2 in C:\Program Files\SplunkUniversalForwarder\etc\apps folder.
powershell app,microsoft windows app,sa-ldapsearch app,windows infrastruce apps are installed on splunk instance which is run on member server.
Splunk has a receiver and listens on tcp 12345 which UF uses to forward data as well
When I try to detect; domain,domain controller,users,computers are not found
The configuration of ldap.conf(Program Files\Splunk\etc\apps\SA-ldapsearch\local) file is shown as below.
server = spdc.nwtraders.msft
port = 389
ssl = false
basedn = DC=nwtraders,DC=msft
binddn = cn=Administrator,cn=Users,DC=nwtraders,DC=msft
password = Password1
alternatedomain = NWTRADERS
server = 172.16.1.10
SA-ldapsearch.log file is also missing! So I could not troubleshoot the issue.
Any help would be nice
... View more