All Apps and Add-ons

Splunk App for Windows Infrastructure: Why does the Group Policy changes view displays no results, but I'm able to view the data in a search?

arber
Communicator

Hello,
we are unable to get any kind of results in Group Policy changes section of Splunk App for Windows Infrastructure.
If we copy from macros.conf the search that is used:

eventtype=msad-ad-access Object_Type=groupPolicyContainer|lookup HostToDomain host|search src_nt_domain="$domain$"|eval adminuser=src_nt_domain."\".src_user|eval Object_Name=replace(Object_Name,"}CN","},CN")|fields _time,Object_Name,adminuser,session_id|transaction maxspan=10m Object_Name,adminuser,session_id|ldapfetch dn=Object_Name attrs="cn,displayName"

it displays the data. but they are not shown automatically from the app. This happens on all 5 splunk instances that we have deployed

weeb
Splunk Employee
Splunk Employee

Just worked on this with a customer. Please confirm the following is NOT blacklisted:

In Splunk_TA_windows\default\inputs.conf

[WinEventLog://Security]

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"

Copy over the following lines to the /local/inputs.conf

    [WinEventLog://Security]

    blacklist1 = 

This will overwrite the default blacklist of the EventCode=4662 and enable the event to escape blacklisting.

It would be helpful to double check and confirm Group Policy Management settings as per:

http://docs.splunk.com/Documentation/MSApp/1.1.2/MSInfra/ConfigureActiveDirectoryauditpolicy

JScordo
Path Finder

Before overwriting the default blacklist, can you let us know what the purpose of the original blacklist was? And what kind of performance issues (if any) this could lead to?

ahall_splunk
Splunk Employee
Splunk Employee

What version of the Windows Infrastructure app are you using?
What version of the SA-ldapsearch app are you using?

Please ensure you are running v1.1.13 of SA-ldapsearch and the latest Windows Infrastructure app. Then let me know if the same thing is happening?

My thought is that this is a different manifest of a GPO bug we fixed in the last release. But I'll need you to upgrade in order to figure that out.

arber
Communicator

Hello,

we have SA-ldapsearch 1.1.13 and win inf app 1.0.3

Thanks a lot for your support

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

Those are the latest versions, so you should have no problem. I'll need to set up a reproduction. What version of Windows are you using? Whats the forest and domain level?

0 Karma

arber
Communicator

It is windows server 2008 R2

the forest and domain level are Windows server 2008 R2

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

There were a whole slew of old bugs that were corrected in v1.0.1 that dealt with GPOs and alternate forms of the GPO. It looks like you have bumped into them again. But your version is new enough that they should not be an issue.

Can you show off an example event please? The search is "eventtype=msad-ad-access Object_Type=groupPolicyContainer|head 1"

0 Karma

arber
Communicator

I executed the command and it got the log. the problem is that when try it from the app sometimes it works sometimes it doesnt. it seems like when a "certain" event is present we get the error.

Below is the message from the event:

An operation was performed on an object. Subject : Security ID: ***.7 Account Name: *.7 Account Domain: *** Logon ID: 0xd72d54f Object: Object Server: DS Object Type: groupPolicyContainer Object Name: CN={AE53600E-6519-4741-9E28-FB1B62C6D14F}CN=Policies,CN=System,DC=*,DC=,DC=*** Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: Write Property Access Mask: 0x20 Properties: Write Property Default Property Set versionNumber groupPolicyContainer Additional Information: Parameter 1: - Parameter 2:

Thanks again for your effort

0 Karma

arber
Communicator

I've noticed also that when i run the above search it will find the data, but in the Statistic tab i will get an error:

ERROR: com.unboundid.ldap.sdk.LDAPException: The provided string could not be decoded as a DN because no equal sign was found after the RDN attribute '{bdf95c5b-6335-45f5-a4e0-a796253f36df}'
xternal search command 'ldapfetch' returned error code 1. First 1000 (of 16465) bytes of script output: "Object_Name,mv_Object_Name,_bkt,mv_bkt,_cd,mvcd,_indextime,mvindextime,_pre_msg,mvpre_msg,_raw,mvraw,_serial,mvserial,_si,mvsi,_sig,mvsig,_sourcetype,mvsourcetype,_time,mvtime,adminuser,mv_adminuser,closed_txn,mv_closed_txn,duration,mv_duration,eventcount,mv_eventcount,field_match_sum,mv_field_match_sum,linecount,mv_linecount,session_id,mv_session_id,cn,mv_cn,displayName,_mv_displayName "CN={C908D06C-DD17-4274-A76B-53E95B01E708},CN=Policies,CN=System,DC=xxx,DC=xxx,DC=xxxx",,winevents_security~84~EA89C568-D896-49AD-AE1A-0E5830B22242,,84:675082567,,1413896828,,"10/21/2014 03:07:06 PM LogName=Security

But this does not always happen, meaning that if a change the data to let say last day, or last 2 days i wont get the issue. Very strange it seems that specific event may cause the problem..

Is this a bug or i have to configure something in the DCs ?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...