All Apps and Add-ons

Event-level filtering based on LDAP query

dbylertbg
Path Finder

Anyone know how I can do event-level filtering that matches events based on membership in an AD group?

Specifically, I'm looking to send any and all events that have to do with the members of the "domain administrators" Active Directory group to a separate index. From there I can control permissions to that index to keep Domain Admin activity segregated. (Of course, the concept could be applied to any other AD group, OU, etc.)

Can event-level filtering be done by matching events with the results of an LDAP query, or CSV lookup, where the CSV is generated by a scheduled non-splunk job??

(Or, do I have to write a shell script to do an LDAP query and figure out how to safely update the appropriate config files using the script??)

0 Karma

cblanton
Communicator

It seems like this is exactly what ldapsearch is meant to do, but I can't figure out the search. I have my event search, then I want to filter events if the user field name matches the sAMAaccount field as memberOf an ldap group.

0 Karma

nyetley
Engager

I have the same question. Did you come up with a solution?

0 Karma

cblanton
Communicator

have you since been able to accomplish this with ldapsearch?

0 Karma

dbylertbg
Path Finder

No, I never did. Splunk support was also unable to provide a way to do this. The only thing I can think to do is to custom-write a script that does the ldap query for you and modifies a regex in the splunk configs.... but last I knew there was no built in way to do this. However -- I haven't checked to see if this might have been a new feature in recent releases.

0 Karma

dbylertbg
Path Finder

Heh... just re-read my original question... seems I'm at the same conclusion I was when I wrote the question. External script would have to be the solution.

0 Karma

cblanton
Communicator

i think this can be done now, i'm just not up to writing the search. any thoughts on how this can be done with ldapsearch?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...