Hi Splunkers,
I am struggling a little bit with the documentation of the Active Directory Monitoring input of Splunk Add-on for Microsoft Windows.
http://docs.splunk.com/Documentation/Splunk/6.5.1/Data/MonitorActiveDirectory
admon generates an event if there was a change on an AD object like for example a user. This is what the docs says:
When an AD object changes, Splunk
generates an update event.
But what does that mean exactly? Is the update event only generated, if there was a change of a group membership of a user or if somebody has changed his phone number? Or is an event generated even if the user just logs in to a system?
If you look to the sample log, there is a field called last logon, in my idea, if the last logon is changed, there will be a new event from admon. Am I right?
2/1/10
3:17:18.009 PM
02/01/2010 15:17:18.0099
dcName=stuff.splunk.com
admonEventType=Update
Names:
objectCategory=CN=Computer,CN=Schema,CN=Configuration
name=stuff2
displayName=stuff2
distinguishedName=CN=stuff2,CN=Computers
Object Details:
sAMAccountType=805306369
sAMAccountName=stuff2
logonCount=4216
accountExpires=9223372036854775807
objectSid=S-1-5-21-3436176729-1841096389-3700143990-1190
primaryGroupID=515
pwdLastSet=06:30:13 pm, Sat 11/27/2010
lastLogon=06:19:43 am, Sun 11/28/2010
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=4096
objectGUID=blah
whenChanged=01:02.11 am, Thu 01/28/2010
whenCreated=05:29.50 pm, Tue 11/25/2008
objectClass=top|person|organizationalPerson|user|computer
Event Details:
uSNChanged=2921916
uSNCreated=1679623
instanceType=4
Additional Details:
isCriticalSystemObject=FALSE
servicePrincipalName=TERMSRV/stuff2|TERMSRV blah
dNSHostName=stuff2.splunk.com
operatingSystemServicePack=Service Pack 2
operatingSystemVersion=6.0 (6002)
operatingSystem=Windows Vista? Ultimate
localPolicyFlags=0
Hi,
we implemented a Universal Forwarder ourself and I also had some questions regarding this topic. However, I don't get why people want to use the AD App, you're also restricted to Splunk running on Windows. Maybe read more about it here: http://blogs.splunk.com/2014/01/27/working-with-active-directory-on-splunk-universal-forwarders/
You cannot easily answer this by saying "yes" or "no". In most cases, the answer would be simply "no", a login is not logged as an admonEventType=Update. *
Splunk uses Microsoft's API to get change notifications (as mentioned in the blog above IIRC). A standard change notification for an object would be a password change (pwdLastSet). You can enable change notifications in the ASDI Editor if I am not wrong. But I am no AD guru, so better ask someone who knows how to enable object notifications for third-party applications.
* I am not talking about logons on the AD controller itself. Read more about some tips & tricks here: http://blogs.splunk.com/2012/10/21/splunk-app-for-active-directory-and-the-top-10-issues/
Hi,
we implemented a Universal Forwarder ourself and I also had some questions regarding this topic. However, I don't get why people want to use the AD App, you're also restricted to Splunk running on Windows. Maybe read more about it here: http://blogs.splunk.com/2014/01/27/working-with-active-directory-on-splunk-universal-forwarders/
You cannot easily answer this by saying "yes" or "no". In most cases, the answer would be simply "no", a login is not logged as an admonEventType=Update. *
Splunk uses Microsoft's API to get change notifications (as mentioned in the blog above IIRC). A standard change notification for an object would be a password change (pwdLastSet). You can enable change notifications in the ASDI Editor if I am not wrong. But I am no AD guru, so better ask someone who knows how to enable object notifications for third-party applications.
* I am not talking about logons on the AD controller itself. Read more about some tips & tricks here: http://blogs.splunk.com/2012/10/21/splunk-app-for-active-directory-and-the-top-10-issues/
Hi, thanks for taking the time to give a detailed answer.
We will now use a different approach using powershell with the AD module to get this information out of AD.