Splunk Search

How to create searches for a dashboard on Active Directory user activity?

akashjohn
Explorer

Hi Team,

We are trying to create a dashboard with couple of Active Directory user activities (like Login Success vs failure, Locked out accounts, Pwd expired accounts, Most active accounts etc). Could you please let us know how can we create Splunk searches to get this data?

0 Karma

sundareshr
Legend

@akashjohn if you have the data in splunk, look at this site for ideas for queries http://gosplunk.com/failed-versus-successful-logon-attempts/

If you don't have the data in splunk, check out this app https://splunkbase.splunk.com/app/1680/

0 Karma

akashjohn
Explorer

Hi Team,

We were not able to find any user activity logs in splunk. The methods which we tried are given below,
- index = main sourcetype = "security"​
- source=WinEventLog:security

Both of these methods are not providing the logs (one user's logs are available) as result in splunk query. So we are suspecting the logs are not seems to be porting to splunk server.

Could you please let us know which are the configurations we need to configure to send logs to splunk server on client server side?

We are assuming that AD server logs will be providing all the necessary data about AD user account related activities, if not please let us know in which are the servers we need to configure splunk configurations.

Thanks,
Akash John

0 Karma

rafamss
Contributor

The Active Directory generates logs locally on the machine on which it is deployed, with this, just get these logs of the servers and begin making some searchs. Some examples:

index = security sourcetype = adLog (error OR fail *) | stats count

You can get these data through this methods: monitor file system, by script or doing the upload file for Splunk.

Follow the source for configurate the AD log: https://technet.microsoft.com/en-us/library/cc961809.aspx

0 Karma

akashjohn
Explorer

Hi rafamss,

Thanks for the response. Unfortunately we were not able to find any logs as out put..

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...