I've managed to put together quick and dirty script for this use case. So after quite some research I figured out that the best option is to play around with Get-RemoteAccessConnectionStatistics powershell script which requires elevated permissions to be run. Since I haven't found a way how to run powershell script from splunk forwarder with elevated permission I run it as Scheduled Task every minute and export newly established connections into file, which is then read by splunk forwarder.
Here is the powershell script which is installed on my DirectAccess server:
# get last written connection time and specify today
If (Test-Path "$PSScriptRoot\maxConnectionTime.txt") {
$MaxConnectionTime = Get-Content -path "$PSScriptRoot\maxConnectionTime.txt" -Raw
}
Else {
$MaxConnectionTime = Get-Date -format "yyyy-MM-dd 00:00:00"
}
$today = Get-Date -format "yyyy-MM-dd"
#housekeeping - make new file accessible - fast & dirty
$acl = Get-Acl "$PSScriptRoot\data\$today-connections.txt"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("everyone","FullControl","Allow")
$acl.SetAccessRule($accessRule)
$acl | Set-Acl "$PSScriptRoot\data\$today-connections.txt"
# get remote access connection statistics
$connections = Get-RemoteAccessConnectionStatistics -StartDateTime $MaxConnectionTime
# loop trough results and write them to file if they are newer then last time inputted
ForEach ($connection in $connections)
{
$date = Get-Date -Format "yyyy-MM-dd HH:mm:ss" $connection.ConnectionStartTime
If ($date -gt $MaxConnectionTime)
{
Add-Content -Path "$PSScriptRoot\data\$today-connections.txt" -Value "ConnectionTime='$date' SessionID=$($connection.SessionId) ClientIPv4Address=$($connection.ClientIPv4Address) ClientIPv6Address=$($connection.ClientIPv6Address) ClientAddress=$($connection.ClientAddress) ConnectionType=$($connection.ConnectionType) HostName=$($connection.HostName) UserName=$($connection.UserName)"
$MaxConnectionTime = $date
}
}
# update time
Write-Output $MaxConnectionTime | Out-file "$PSScriptRoot\maxConnectionTime.txt"
# housekeeping - delete old files
$CurrentDate = Get-Date
$DatetoDelete = $CurrentDate.AddDays(-7)
Get-ChildItem "$PSScriptRoot\data\" | Where-Object { $_.LastWriteTime -lt $DatetoDelete } | Remove-Item
And here is the content of my inputs.conf:
[monitor://$SPLUNK_HOME/etc/apps/myorg_security_microsoft_directaccess_inputs/bin/data/]
sourcetype = DirectAccessConnections
index=myorg_vpn
As a note: I couldn't bring the script into life if specified "Start in" option in Scheduled Task. I had to add the following arguments to the Scheduled Task action:
-ExecutionPolicy Bypass -File "C:\Program Files\SplunkUniversalForwarder\etc\apps\myorg_security_microsoft_directaccess_inputs\bin\GetRemoteAccessConnection.ps1"
... View more