Splunk Search

Am I taking the correct steps for monitoring active directory and analyzing user accounts?

hichem_khalfi
Path Finder

 

Good morning all
please i'm in a big das that i can't solve it: i'm a student and i'm preparing my graduation project and it's my first time with splunk
I want to know if my steps are correct or not
I want to analyze the user accounts of my active directory: I want to work only on the information concerning the connection of the accounts (login, log off...) and also (creation, modification, deletion..)
for that I installed on my splunk server the 3 apps:
Splunk_TA_windows
Splunk_TA_microsoft_ad
SA-ldapsearch (I don't know why I can't save the domain password on this add on despite the connection being successful)
after that I copied the 2 folders "Splunk_TA_windows" and
"Splunk_TA_microsoft_ad" to my AD server in forrwadersplunk folder path
after that I configured this input file and I copied it to a new "local" folder on the 2 servers

************************

###### Monitor Inputs for Active Directory ######
[monitor://C:\debug\netlogon.log]
sourcetype=MSAD:NT6:Netlogon
disabled=0
renderXml=false
index=main

[WinEventLog://Security]
disabled = 0
index=main
start_from oldest
current_only = 0
evt_resolve_ad_obj = 1
Interval checkpoint = 5
whitelist=4724,4725,4726,4624,4625,4720,4732,4722,4738,4742,4729,4715,4719,4768,4769
blacklist1 = EventCode="4662" Message="Object Type: (?!\s*group Policy Container)"
blacklist2 = EventCode="566" Message="Object Type: (?!\s*group PolicyContainer)"
renderXml=false

[WinEventLog://Microsoft-windows-Terminalservices-LocalSessionManager/operational]
disabled = 0
index=main
renderXml=false

******************

Am I missing another step??
is the input file configuration correct??
can I have my needs with this configuration ???

thank you for answering me because I can not find the right answer on the net and I have a big problem: I find incomplete information on some users when I launch searches concerning their opening and closing of sessions.

I apologize for this long message but I must explain all the details to you to have the best advice

Labels (2)
Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hichem_khalfi,

at first, don't install the above TAs in that folder, but in the $SPLUNK_HOME\etc\apps folcer.

then, I suppose that you already configured your forwarders to send data to Splunk, if not, see in vido or docs (https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Data/Getstartedwithgettingdatain).

Then SA-ldapsearch  must be installed on your Splunk server, not on the Forwarders: it's used to make some ldap calls to extract data.

About information about login events, you have to search events with:

  • EventCode=4624 (login)
  • EventCode=4625 (logfail)
  • EventCode=4634 (logout)

Ciao.

Giuseppe

0 Karma

hichem_khalfi
Path Finder

like I said : on the Splunk server I installed Splunk_TA_windows Splunk_TA_microsoft_ad SA-ldapsearch (I don't know why I can't save the domain password on this add on despite the connection being successful) on the active directory server which is my Forwarder I installed only Splunk_TA_windows Splunk_TA_microsoft_ad I used only one Forwarder because normally the AD server can provide me with the information of all users. but despite that I can't find information on a few users 1/ do I have to install SA-ldapsearch?? thank you for briefly describing his role 2/ please check my input.conf file

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hichem_khalfi,

your inputs.conf is correct.

About SA-ldapsearch, you have to install it in your Splunk server, and you must be sure that the firewall routes are open between the Splunk server and the DC.

Ciao.

Giuseppe

0 Karma

hichem_khalfi
Path Finder

Regarding SA-ldapsearch I have already installed on splunk server only and I did the configuration successfully and the test passed
but I can no longer save the password: if I close his tab and I come back: I find all the saved information except the password
I don't understand why and can this thing cause problems, I insist that when I type the password again I always had a connection with the AD server

0 Karma

hichem_khalfi
Path Finder

tank you for your answer

 

no no I installed the redictor only on the active directory server, I only checked the box: enable AD monitoring because I want the information to come from the server
after that I created the folder on the 2 paths
SPLUNK_HOME\etc\apps folder\local
SPLUNK_FORWARDER\etc\apps folder\local
in these 2 paths I put the same configuration file input.conf

I know the eventcode but the problem that I can have users and others not:
for example I have 4 users who logged in at 9am but on the console I find only 2

the problem does not come from the user station because I only take all the information from the server and for that I asked for the best procedure for monitoring users active directory

0 Karma

JacekF
Path Finder

Please note, that you need to put local folder inside the application folder, not directly as a subdir of $SPLUNK_HOME\etc\apps.

If you are using Splunk_TA_windows app, you need to put your inputs.conf in the following local folder:

$SPLUNK_HOME\etc\apps\Splunk_TA_windows\local

With regards to ldapsearch, test if it works by executing some search with | ldapsearch command. In my environment once saved, password is also not visible. 

0 Karma

hichem_khalfi
Path Finder

HI

1-  I don't understand do I have to install TA WINDOWS on the splunk server or not because gcusello said no???

2- yes i choosed this path 

3- i used this command now and i had result

| ldapsearch domain=TRANSVET search="(objectClass=user)" attrs="sAMAccountName,cn"

so i have connection between splnk server and server active directory but why i cant save the password , in my environment i always find the empty password box and i retype it evry time

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hichem_khalfi,

as you can read in my answer, I said that you have to install the TA-Windows both on Splunk Server and Forwarders.

As I said: on Splunk server it's used for parsing and on Forwarders for inputs.

ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hichem_khalfi,

if you see data on your Splunk, TAs are correctly configurated.

If you see only a part of logs, maybe some logins are local and not to the Domain.

To be more sure, you should installa Forwarder also on the clients.

As i said the splunkforwarder app in $SPLUNK_HOME\etc/apps, cannot be used, you have to put your TAs only in the $SPLUNK_HOME\etc\apps, that should be "C:\program Files\splunkforwarder\etc\apps"

Ciao.

Giuseppe

0 Karma

hichem_khalfi
Path Finder

so my first mistake: I installed TA WINDOWS on splunk server and I have to delete it..ok.
and considering "TA_microsoft_ad" I install it on the splunk server and forward it or not??
I apologize but I need to know the correct configuration because every one tells me contradictory information to the other

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hichem_khalfi,

TAs must be installed both on the Splunk Server and on the Forwarders: on the first are used for parsing, on the second for inputs.

About your other question (SA-ldapsearch) I encountered this problem some years ago, but I thought that was solved!

Anyway, in Community you should find an answer for this.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...