Re: Administrator Audit function returning no resu...

dwithers · ‎04-02-2014

I have the Splunk App for windows infrastructure up and running. the support SA-ldapsearch is installed along with java and functioning fine as well. I am receiving results on virtually every dashboard included with the app.

The only dashboard I am having issues with is the Administrator Audit. I keep receiving a 'Search query is not resolved." msg in every view on that dashboard. Under Account Domain/Administrator there is a Search Produced no results message and its looking for the default 'Last 15 minutes'.

If I change the 15 minutes to 24 hours, or 1 minuted or some other 'real-time' search, the Account Domain: will start 'Populating' and finally find the Domain, but the Administrator is being hardset to some random user/computer account and will not let me search/choose from an actual Administrator.

I do not see any specific errors in splunkd.log or my SA-ldapsearch log relating to this. Any ideas?

jchampagne_splu · ‎01-12-2016

Do you get any results when you run this search?

eventtype=msad-admin-audit NOT src_nt_domain="NT AUTHORITY"|

This is the search that populates the Acount Domain and Administrator drop down menus.

The EventType msad-admin-audit relies on data from the following nested eventtypes. If you're not getting data back from these searches, then there is a problem with your data ingestion.

eventtype=msad-group-changes

eventtype=msad-nt5-group-changes 
    sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
    (EventCode=631 OR EventCode=634 OR EventCode=635 OR EventCode=638 OR EventCode=639 OR EventCode=641 OR EventCode=648 OR EventCode=649 OR EventCode=652 OR EventCode=653 OR EventCode=654 OR EventCode=657 OR EventCode=658 OR EventCode=659 OR EventCode=662 OR EventCode=663 OR EventCode=664 OR EventCode=667 OR EventCode=668)

eventtype=msad-nt6-group-changes
    sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
    (EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR EventCode=4734 OR EventCode=4735 OR EventCode=4737 OR EventCode=4744 OR EventCode=4745 OR EventCode=4748 OR EventCode=4749 OR EventCode=4750 OR EventCode=4753 OR EventCode=4754 OR EventCode=4755 OR EventCode=4758 OR EventCode=4759 OR EventCode=4760 OR EventCode=4763 OR EventCode=4764)

eventtype=msad-groupmembership-changes

eventtype=msad-nt5-groupmembership-changes
    sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
    (EventCode=632 OR EventCode=633 OR EventCode=636 OR EventCode=637 OR EventCode=650 OR EventCode=651 OR EventCode=655 OR EventCode=656 OR EventCode=660 OR EventCode=661 OR EventCode=665 OR EventCode=666)

eventtype=msad-nt6-groupmembership-changes
    sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
    (EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4746 OR EventCode=4747 OR EventCode=4751 OR EventCode=4752 OR EventCode=4756 OR EventCode=4757 OR EventCode=4761 OR EventCode=4762)

eventtype=msad-computer-changes

eventtype=msad-nt5-computer-changes 
    sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
    (EventCode=645 OR EventCode=646 OR EventCode=647)

eventtype=msad-nt6-computer-changes
    sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
    (EventCode=4741 OR EventCode=4742 OR EventCode=4743)

eventtype=msad-user-changes

eventtype=msad-nt5-user-changes 
    sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
    (EventCode=624 OR EventCode=625 OR EventCode=626 OR EventCode=628 OR EventCode=629 OR EventCode=630 OR EventCode=642 OR EventCode=671 OR EventCode=685 OR EventCode=807) user!="*$"

eventtype=msad-nt6-user-changes
    sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
    (EventCode=4720 OR EventCode=4722 OR EventCode=4724 OR EventCode=4725 OR EventCode=4726 OR EventCode=4738 OR EventCode=4767 OR EventCode=4781 OR EventCode=4912) user!="*$"

eventtype=msad-account-lockout

eventtype=msad-nt5-account-lockout 
    sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security EventCode=644

eventtype=msad-nt6-account-lockout
    sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security EventCode=4740

eventtype=msad-account-unlock)

eventtype=msad-nt5-account-unlock 
    sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security EventCode=671

eventtype=msad-nt6-account-unlock
    sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security EventCode=4767

irievibe · ‎08-14-2014

same here.

lukeh · ‎07-28-2014

same problem here, and we are running Splunk 6.1.1 with Splunk App for Windows Infrastructure 1.0.2

dbylertbg · ‎05-05-2014

Adding the following (in hopes for more search result matches):

This is the URI we are referring to...
dj/en-us/splunk_app_windows_infrastructure/ad/sec_admin_audit/

The path to access via gui is:

Splunk App for Windows Infrastructure --> Active Directory --> Users --> Administrator Audit.

dbylertbg · ‎05-05-2014

Same problem here...

Administrator Audit function returning no results for Splunk App for Windows Infrastructure

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...