Good morning all
please i'm in a big das that i can't solve it: i'm a student and i'm preparing my graduation project and it's my first time with splunk
I want to know if my steps are correct or not
I want to analyze the user accounts of my active directory: I want to work only on the information concerning the connection of the accounts (login, log off...) and also (creation, modification, deletion..)
for that I installed on my splunk server the 3 apps:
SA-ldapsearch (I don't know why I can't save the domain password on this add on despite the connection being successful)
after that I copied the 2 folders "Splunk_TA_windows" and
"Splunk_TA_microsoft_ad" to my AD server in forrwadersplunk folder path
after that I configured this input file and I copied it to a new "local" folder on the 2 servers
###### Monitor Inputs for Active Directory ######
disabled = 0
current_only = 0
evt_resolve_ad_obj = 1
Interval checkpoint = 5
blacklist1 = EventCode="4662" Message="Object Type: (?!\s*group Policy Container)"
blacklist2 = EventCode="566" Message="Object Type: (?!\s*group PolicyContainer)"
disabled = 0
Am I missing another step??
is the input file configuration correct??
can I have my needs with this configuration ???
thank you for answering me because I can not find the right answer on the net and I have a big problem: I find incomplete information on some users when I launch searches concerning their opening and closing of sessions.
I apologize for this long message but I must explain all the details to you to have the best advice
at first, don't install the above TAs in that folder, but in the $SPLUNK_HOME\etc\apps folcer.
then, I suppose that you already configured your forwarders to send data to Splunk, if not, see in vido or docs (https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Data/Getstartedwithgettingdatain).
Then SA-ldapsearch must be installed on your Splunk server, not on the Forwarders: it's used to make some ldap calls to extract data.
About information about login events, you have to search events with:
like I said : on the Splunk server I installed Splunk_TA_windows Splunk_TA_microsoft_ad SA-ldapsearch (I don't know why I can't save the domain password on this add on despite the connection being successful) on the active directory server which is my Forwarder I installed only Splunk_TA_windows Splunk_TA_microsoft_ad I used only one Forwarder because normally the AD server can provide me with the information of all users. but despite that I can't find information on a few users 1/ do I have to install SA-ldapsearch?? thank you for briefly describing his role 2/ please check my input.conf file
your inputs.conf is correct.
About SA-ldapsearch, you have to install it in your Splunk server, and you must be sure that the firewall routes are open between the Splunk server and the DC.
Regarding SA-ldapsearch I have already installed on splunk server only and I did the configuration successfully and the test passed
but I can no longer save the password: if I close his tab and I come back: I find all the saved information except the password
I don't understand why and can this thing cause problems, I insist that when I type the password again I always had a connection with the AD server
tank you for your answer
no no I installed the redictor only on the active directory server, I only checked the box: enable AD monitoring because I want the information to come from the server
after that I created the folder on the 2 paths
in these 2 paths I put the same configuration file input.conf
I know the eventcode but the problem that I can have users and others not:
for example I have 4 users who logged in at 9am but on the console I find only 2
the problem does not come from the user station because I only take all the information from the server and for that I asked for the best procedure for monitoring users active directory
Please note, that you need to put local folder inside the application folder, not directly as a subdir of $SPLUNK_HOME\etc\apps.
If you are using Splunk_TA_windows app, you need to put your inputs.conf in the following local folder:
With regards to ldapsearch, test if it works by executing some search with | ldapsearch command. In my environment once saved, password is also not visible.
1- I don't understand do I have to install TA WINDOWS on the splunk server or not because gcusello said no???
2- yes i choosed this path
3- i used this command now and i had result
| ldapsearch domain=TRANSVET search="(objectClass=user)" attrs="sAMAccountName,cn"
so i have connection between splnk server and server active directory but why i cant save the password , in my environment i always find the empty password box and i retype it evry time
as you can read in my answer, I said that you have to install the TA-Windows both on Splunk Server and Forwarders.
As I said: on Splunk server it's used for parsing and on Forwarders for inputs.
if you see data on your Splunk, TAs are correctly configurated.
If you see only a part of logs, maybe some logins are local and not to the Domain.
To be more sure, you should installa Forwarder also on the clients.
As i said the splunkforwarder app in $SPLUNK_HOME\etc/apps, cannot be used, you have to put your TAs only in the $SPLUNK_HOME\etc\apps, that should be "C:\program Files\splunkforwarder\etc\apps"
so my first mistake: I installed TA WINDOWS on splunk server and I have to delete it..ok.
and considering "TA_microsoft_ad" I install it on the splunk server and forward it or not??
I apologize but I need to know the correct configuration because every one tells me contradictory information to the other
TAs must be installed both on the Splunk Server and on the Forwarders: on the first are used for parsing, on the second for inputs.
About your other question (SA-ldapsearch) I encountered this problem some years ago, but I thought that was solved!
Anyway, in Community you should find an answer for this.