I've been able to start pulling AD logs via WMI which is nice and all, but I come in this morning and have 28 some odd million events in WMI:WinEventLog:Security. And a very unhappy splunk server after a long holiday weekend of chewing on events.
Is there a way to discard events past a certain age? We're still in trial mode for proof of concept and I'd like it to stay running a bit longer than a week.....
... View more
yeah, so apparently i'm not completely talking to active directory until I install some forwarders. I saw "add data source" for AD or whatever on the firstrun page and did that.
Apparently its a bit more involved.
... View more
Ok, Great! So we just got splunk running. Now what.
I've gone out and told it to grab AD data, so I thought Hey, how do I find failed logon attempts on the network? Even better, can I set a trigger to alert me when someone fails X times and the account gets locked out?
Any takers for a rookie question?
... View more