Hi All,
I am trying to create a list of users who have not logged in Domain Controller for more than 30 days.
Any suggestion will be of great help.
Thanks,
Hi,
if you have addon for Active directory installed you could use ldapsearch command
have a look at this:
https://answers.splunk.com/answers/559930/ldapad-report-on-user-accounts-last-login-date-and.html
Assuming you already have the relevant login events in Splunk:
Something like this should work:
...search to get to the successful login events...
| stats latest(_time) as lastTime by user
| eval daysAgo = (now()-lastTime)/(24*3600)
| search daysAgo > 30
Only trouble: you will need to run this over a long time period and if you have a big volume of domain controller logs, that may be a bit slow. Accelerated data models could help there.
Alternative would be to somehow import a full list of users from AD, and then filter out those users that show up in last 30 days of login events.
Hi,
if you have addon for Active directory installed you could use ldapsearch command
have a look at this:
https://answers.splunk.com/answers/559930/ldapad-report-on-user-accounts-last-login-date-and.html
Just to highlight...
If you have more than one Domain Controller in your forest/domain you may need to check each DC for the last logon timestamp - sadly, this parameter is not replicated between DCs, so you have to do some legwork to make sure you get all the values from your LDAP environment.
Thanks, this was helpful !!
oh, yes, if you can import the last logon date straight from AD that could make things much simpler indeed, good suggestion!
No need to be sarcastic 😉 Since he did not say, if he allready have logs, I wanted to give him a suggestion on where to look. If you had a look at the search in the link, you would know that you can filter with the field lastDate.
Sarcastic? It was meant as a genuine comment. More of an "I hadn't thought of that", after I submitted my own answer 🙂
Ah ok, please excuse my misinterpretation ^^
I just thought because here was no upvote it could be sarcasm 🙂
Thanks Guys, I can do with AD but I need to collect the user activity from another app on Splunk...I am trying to combine both in a report.
@dkeck's suggestion enables you to collect that data from AD into Splunk 🙂