I've got a default setup of Splunk (v 5.0.3) with the following:
Active Directory App. (1.2.1)
Sideview Utils (2.6.3)
SA-ldapsearch (1.1.9)
TA for Windows (4.6.3)
Universal Forwarder (5.0.3)
Everything appears to be working correctly - I am seeing log data sent to the indexer from two active directory/dns servers and I can pull up data on all of the menus within the app (security, change management, health, etc.) however... I am having problems finding specific events. I don't know if this is related to how we have our audit policies setup (Advanced Audit Policy, 2008 R2 domain) but suspect it is related.
Specifically, I am not seeing failed login attempts to the domain when a user is mistyping their passwords on a client workstation. I am seeing this type of event when an admin attempts a remote desktop to one of the Domain Controllers and fails.
Also, (most likely related to above) I am trying to use the "User Utilization" menu option and filter for a specific time period, but again, I am only seeing events showing up from users connecting directly to a DC (Admin/remote desktop) and not the client connections.
Any ideas here? Thanks in advance!
... View more