SA-ldapsearch / Active Directory issue

frankbezemer · ‎11-21-2012

I am having issues with the Active Directory/ldapsearch app.
I have the ldap.conf configured properly I think.

When I click on one of the security audit reports I see that LDAP is being used.
I ran a wireshark on the windows server and as a test I used unsecure LDAP.
I see the splunk server authenticating fine, I see LDAP returning a bunch of data, but then nothing shows up in Splunk.
I do get two bars at the top with:
[subsearch]: No matching fields exist
No matching fields exist

I thought maybe it only works with SSL enabled, so I tried that too, but same effect.
The other issue (might be related) is that the debug=t doesn't seem to do anything for the ldapsearch. Nothing is written in the debug log.

I can use other LDAP browsers and connect to LDAP no problem.

Splunk is running on Linux and I am monitoring a Windows Advanced 2008 R2 server.

The rest of the app seems to be running fine.

ahall_splunk · ‎11-26-2012

If there is an event in the time period you are looking at for the user in question in eventtype=msad-failed-user-logons and the LDAP record is returning correctly, then you should not see the subsearch error as it is returning information. Something else must be going wrong.

If you have a support contract, then escalate this through our support department since we need to take a closer look. If you don't have a support contract, then first off, you need one for exactly this sort of problem. Secondly, take a look at the underlying XML data and pull out the search that is causing the error, then break it down into its component parts to determine which bit is not working.

ahall_splunk · ‎11-27-2012

If you are evaluating Splunk, then please contact your friendly Splunk sales rep for assistance.

frankbezemer · ‎11-27-2012

No, I am evaluating splunk, so we don't have a support agreement (yet).
What XML do you mean exactly? I have tried the search of one of the failed ones, and I can't really find it. It seems every LDAP query fails.

ahall_splunk · ‎11-23-2012

Based on the above, the app is not seeing the audit trail stored in the Windows Security Event Log. Try the following:

Ensure that splunk_TA_Windows is installed on your domain controller forwarders
Ensure you have set up the DC audit (per the documentation on http://docs.splunk.com)
Run a search for:

eventtype=msad-failed-user-logons

and ensure it is returning information for the user that you are searching for (assuming you are testing audit_user)

frankbezemer · ‎11-25-2012

OK, thanks for your help.

Yes, I have the splunk_ta_windows on my DC.
I have set it up according to documentation on the website.

When I run a search for "eventtype=msad-failed-user-logons" events do show up.
Anything else you can think of that might be wrong?

ahall_splunk · ‎11-21-2012

It would be helpful to understand which dashboard (url) and which panel within the dashboard that is having the issue. We can then look at the individual searches and see if you have some commonality.

frankbezemer · ‎11-22-2012

Hi, thanks for your help.

All the ones in security > audit
/app/Splunk_for_ActiveDirectory/audit_computer
/app/Splunk_for_ActiveDirectory/audit_user
/app/Splunk_for_ActiveDirectory/audit_group
/app/Splunk_for_ActiveDirectory/audit_gpo

SA-ldapsearch / Active Directory issue

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life