All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows authentication creates to much noise

nathanluke86
Communicator
‎01-21-2020 02:48 AM

Hello Splunkers,

Is it just me or are Windows Auth events ridiculously noisey.

I am trying to get accurate login/logout information but the events show multiple success and logoff events for the same attempt judging by time. I thought this might be duplicate logs but they all have different record ID's as below.

alt text

Is this just windows in general or might this be an issue with how our DC's (5 in total) log or are setup.

multiple successes in a row with the same time stamp are mainly for 1 dc so not just multiple dc attempts to authenticate if that makes sense.

Preview file
1 KB
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-21-2020 03:08 AM

Hi @nathanluke86,
Windows generates much noise (every login usually generates between 10 and 13 login/logout events!).
You should try to group events using transform command.
I had this problem and I solved in a different way: I executed every 5 minutes on clients a script with the command "query user" that extract the connected uses and gives infos about login and logout.
This script with the inputs.conf were in a dedicated Technical Add-on.

Ciao.
Giuseppe

Reply

nathanluke86
Communicator
‎01-21-2020 04:36 AM

Hi @gcusello

Not just me then. I don't really have the permissions to run scripts on clients.

Was hoping for an indicator of a true login within the logs or a method to make the results more accurate.

We use smart cards to authenticate and ideally logging when a smart card is inserted to login or removed to log out would be ideal but struggling to get this information in the logs.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-21-2020 04:56 AM

Hi @nathanluke86,
see if your SmartCards give additional logs!
Windows isn't so clear in logins, you could use transaction command with options (maxspan=1h startswith="EventCode=4624)" endswith="EventCode=4634") but isn't so precise!

Ciao.
Giuseppe

0 Karma
Reply

to4kawa
Ultra Champion
‎01-21-2020 02:57 AM

I see duplicate logs,
21/01/2020 08:28:04.000 ipAddress 10.200.33.211 EventID 4624
What is the query?

0 Karma
Reply

nathanluke86
Communicator
‎01-21-2020 04:27 AM

@to4kawa

all the logs have different record id's so are not duplicate logs.

This was my first impression but turns out they are not.

Thanks for the input, much appreciated

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...