- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create searches for a dashboard on Active D...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create searches for a dashboard on Active Directory user activity?
Hi Team,
We are trying to create a dashboard with couple of Active Directory user activities (like Login Success vs failure, Locked out accounts, Pwd expired accounts, Most active accounts etc). Could you please let us know how can we create Splunk searches to get this data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@akashjohn if you have the data in splunk, look at this site for ideas for queries http://gosplunk.com/failed-versus-successful-logon-attempts/
If you don't have the data in splunk, check out this app https://splunkbase.splunk.com/app/1680/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
We were not able to find any user activity logs in splunk. The methods which we tried are given below,
- index = main sourcetype = "security"
- source=WinEventLog:security
Both of these methods are not providing the logs (one user's logs are available) as result in splunk query. So we are suspecting the logs are not seems to be porting to splunk server.
Could you please let us know which are the configurations we need to configure to send logs to splunk server on client server side?
We are assuming that AD server logs will be providing all the necessary data about AD user account related activities, if not please let us know in which are the servers we need to configure splunk configurations.
Thanks,
Akash John
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Active Directory generates logs locally on the machine on which it is deployed, with this, just get these logs of the servers and begin making some searchs. Some examples:
index = security sourcetype = adLog (error OR fail *) | stats count
You can get these data through this methods: monitor file system, by script or doing the upload file for Splunk.
Follow the source for configurate the AD log: https://technet.microsoft.com/en-us/library/cc961809.aspx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rafamss,
Thanks for the response. Unfortunately we were not able to find any logs as out put..
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
