All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When does the admon input generate an update event (admonEventType=Update)?

btiggemann
Path Finder
‎01-05-2017 10:17 AM

Hi Splunkers,
I am struggling a little bit with the documentation of the Active Directory Monitoring input of Splunk Add-on for Microsoft Windows.
http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/MonitorActiveDirectory

admon generates an event if there was a change on an AD object like for example a user. This is what the docs says:

When an AD object changes, Splunk
generates an update event.

But what does that mean exactly? Is the update event only generated, if there was a change of a group membership of a user or if somebody has changed his phone number? Or is an event generated even if the user just logs in to a system?

If you look to the sample log, there is a field called last logon, in my idea, if the last logon is changed, there will be a new event from admon. Am I right?

2/1/10
3:17:18.009 PM                 

02/01/2010 15:17:18.0099
dcName=stuff.splunk.com
admonEventType=Update
Names:
                objectCategory=CN=Computer,CN=Schema,CN=Configuration
                name=stuff2
                displayName=stuff2
                distinguishedName=CN=stuff2,CN=Computers
Object Details:
                sAMAccountType=805306369
                sAMAccountName=stuff2
                logonCount=4216
                accountExpires=9223372036854775807
                objectSid=S-1-5-21-3436176729-1841096389-3700143990-1190
                primaryGroupID=515
                pwdLastSet=06:30:13 pm, Sat 11/27/2010
                lastLogon=06:19:43 am, Sun 11/28/2010
                lastLogoff=0
                badPasswordTime=0
                countryCode=0
                codePage=0
                badPwdCount=0
                userAccountControl=4096
                objectGUID=blah
                whenChanged=01:02.11 am, Thu 01/28/2010
                whenCreated=05:29.50 pm, Tue 11/25/2008
                objectClass=top|person|organizationalPerson|user|computer
Event Details:
                uSNChanged=2921916
                uSNCreated=1679623
                instanceType=4
Additional Details:
                isCriticalSystemObject=FALSE
                servicePrincipalName=TERMSRV/stuff2|TERMSRV blah
                dNSHostName=stuff2.splunk.com
                operatingSystemServicePack=Service Pack 2
                operatingSystemVersion=6.0 (6002)
                operatingSystem=Windows Vista? Ultimate
localPolicyFlags=0
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skalliger
SplunkTrust
SplunkTrust
‎01-09-2017 01:59 AM

Hi,
we implemented a Universal Forwarder ourself and I also had some questions regarding this topic. However, I don't get why people want to use the AD App, you're also restricted to Splunk running on Windows. Maybe read more about it here: http://blogs.splunk.com/2014/01/27/working-with-active-directory-on-splunk-universal-forwarders/

You cannot easily answer this by saying "yes" or "no". In most cases, the answer would be simply "no", a login is not logged as an admonEventType=Update. *
Splunk uses Microsoft's API to get change notifications (as mentioned in the blog above IIRC). A standard change notification for an object would be a password change (pwdLastSet). You can enable change notifications in the ASDI Editor if I am not wrong. But I am no AD guru, so better ask someone who knows how to enable object notifications for third-party applications.

* I am not talking about logons on the AD controller itself. Read more about some tips & tricks here: http://blogs.splunk.com/2012/10/21/splunk-app-for-active-directory-and-the-top-10-issues/

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skalliger
SplunkTrust
SplunkTrust
‎01-09-2017 01:59 AM

Hi,
we implemented a Universal Forwarder ourself and I also had some questions regarding this topic. However, I don't get why people want to use the AD App, you're also restricted to Splunk running on Windows. Maybe read more about it here: http://blogs.splunk.com/2014/01/27/working-with-active-directory-on-splunk-universal-forwarders/

You cannot easily answer this by saying "yes" or "no". In most cases, the answer would be simply "no", a login is not logged as an admonEventType=Update. *
Splunk uses Microsoft's API to get change notifications (as mentioned in the blog above IIRC). A standard change notification for an object would be a password change (pwdLastSet). You can enable change notifications in the ASDI Editor if I am not wrong. But I am no AD guru, so better ask someone who knows how to enable object notifications for third-party applications.

* I am not talking about logons on the AD controller itself. Read more about some tips & tricks here: http://blogs.splunk.com/2012/10/21/splunk-app-for-active-directory-and-the-top-10-issues/

0 Karma
Reply
Solved! Jump to solution

btiggemann
Path Finder
‎01-20-2017 10:08 AM

Hi, thanks for taking the time to give a detailed answer.
We will now use a different approach using powershell with the AD module to get this information out of AD.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...