Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me with a dhcp user monitoring issue on a Windows Active Directory (AD) Server?

TitanAE
New Member
‎09-12-2018 08:00 AM

I have a Windows AD Server that I'm monitoring in my home Splunk lab. I'm also collecting Syslog Data from my firewall. My hope was to see users traversing the network and pulling a dhcp address from their machine. Then pulling there names via LDAP, and marrying that to my firewall logs.

However I'm not getting ip addresses and associated windows usernames within the same events.

I'm specifically monitoring dhcp log files in Windows. So that helps a bit. And I've made sure to allow logging of group policy events in Windows. However there's something I'm blind to right now.

Any help is appreciated.

0 Karma
Reply

kent_farries
Path Finder
‎09-18-2018 02:57 PM

I'm not sure I have enough to go on but here we go.

EventID/EventCode 4624 has both the user and IP address for the signature of "An account was successfully logged on".

You can run this search to see if you are getting 4624 events. If you are not you need to configure your Domain Controllers Advanced Audit Policy (Don't use Legacy if you can help it) for logon events. A good guide on how to setup Advanced Logging can be found by searching "Windows Logging Cheat Sheet".

index=wineventlog "Put the Username here or the IP Address"
| fillnull value=unknown
| stats count by user,src_ip,EventCode,signature

Now if you want to combine events with the Windows DHCP logs you can do something like this. I'm sure there is a better way (lookups) but you get the idea.

index=wineventlog "ipaddress of one of your systems"
| eval ip=coalesce(src_ip,Source_Address)
| join ip type=left
[ search index=windows sourcetype=DhcpSrvLog earliest=-2d latest=now()
| fields ip,dest_nt_host,nt_host]
| fillnull value=unknown
| stats count by user,ip,nt_host,dest_nt_host,EventCode,signature

Hope this helps

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...