Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me with a dhcp user monitoring issue on a Windows Active Directory (AD) Server?

TitanAE
New Member
‎09-12-2018 08:00 AM

I have a Windows AD Server that I'm monitoring in my home Splunk lab. I'm also collecting Syslog Data from my firewall. My hope was to see users traversing the network and pulling a dhcp address from their machine. Then pulling there names via LDAP, and marrying that to my firewall logs.

However I'm not getting ip addresses and associated windows usernames within the same events.

I'm specifically monitoring dhcp log files in Windows. So that helps a bit. And I've made sure to allow logging of group policy events in Windows. However there's something I'm blind to right now.

Any help is appreciated.

0 Karma
Reply

kent_farries
Path Finder
‎09-18-2018 02:57 PM

I'm not sure I have enough to go on but here we go.

EventID/EventCode 4624 has both the user and IP address for the signature of "An account was successfully logged on".

You can run this search to see if you are getting 4624 events. If you are not you need to configure your Domain Controllers Advanced Audit Policy (Don't use Legacy if you can help it) for logon events. A good guide on how to setup Advanced Logging can be found by searching "Windows Logging Cheat Sheet".

index=wineventlog "Put the Username here or the IP Address"
| fillnull value=unknown
| stats count by user,src_ip,EventCode,signature

Now if you want to combine events with the Windows DHCP logs you can do something like this. I'm sure there is a better way (lookups) but you get the idea.

index=wineventlog "ipaddress of one of your systems"
| eval ip=coalesce(src_ip,Source_Address)
| join ip type=left
[ search index=windows sourcetype=DhcpSrvLog earliest=-2d latest=now()
| fields ip,dest_nt_host,nt_host]
| fillnull value=unknown
| stats count by user,ip,nt_host,dest_nt_host,EventCode,signature

Hope this helps

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...