Splunk® Supporting Add-on for Active Directory

Deploy and Use the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)

Download manual as PDF

Download topic as PDF

The ldapfilter command

Overview

The ldapfilter command filter and augments events with information from Active Directory. It follows a 'search' or similar command in the pipeline so you can feed it events. A sample usage follows

eventtype=msad-user-logons |ldapfilter domain=$dest_nt_domain$ search="(objectClass=$src_user$)" attrs="telephoneNumber,displayName"

There are several possible arguments:

Argument Description
search=<search-filter> Specifies the LDAP or Active Directory domain to search.
domain=<domain> Specifies the LDAP or Active Directory domain to search.
search=<search-filter> Specifies the RFC 2254-compliant search string.
basedn=<search-base> Specifies a search base as the starting point instead of the default as set in the ldap configuration stanza identified by domain.
attrs=<attribute-names> Specifies a comma-delimited list of attributes to return as fields.
debug=<boolean> Specifies whether or not ldapfilter should write debug log data. When set to T, specifies that debug logging should occur.
logging_level=(CRITICAL|ERROR|WARNING|INFO|DEBUG) Specifies the logging level for the $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log file. Splunk can access this file with the "index=_internal sourcetype=SA-ldapsearch" search and exposes the following fields:

File: Full pathname of the source file where the logging call was made.
Level: Level of the logging call that was made; one of CRITICAL, ERROR, WARNING, INFO, or DEBUG.
Line: Line number in the source file where the logging call was made.
Pid: ID of the process that made the logging call.
log_source: String of the form "Pid=<Pid>, File=<File>, Line=<Line>".
message: Full text of the logged message.

ldapfilter writes its debug logs to $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log. Splunk indexes and rotates this file by default.

On return, ldapfilter adds the LDAP attributes specified by the attrs argument to each event based on an LDAP search. It uses the domain and search fields to determine the LDAP search to perform. You can substitute variables by surrounding field names with dollar signs. For example, $src_user$

Examples

To return the display name and telephone number for all successful logons:

search eventtype=msad-successful-user-logons |stats count by src_user,dest_nt_domain |ldapfilter domain=$dest_nt_domain$ search="(sAMAccountNAme=$src_user$)" attrs="telephoneNumber,displayName" |table src_user,dest_nt_domain,displayName,telephoneNumber,count

To print a list of all Organization Units (OU) that have linked GPOs and fetch the displayName of the GPO:

|ldapsearch domain=MYDOMAIN search="(objectclass=organizationalUnit)" attrs="ou,description,gPLink,gPOptions" |sort ou |rex field=gPLink max_match=10 "\[LDAP:\/\/(?<gpo>[^;]+);\d+\]" |ldapfilter debug=T domain="{ctx}$gpo$" search="(distinguishedName=$gpo$)" attrs="cn,displayName" |table ou,cn,displayName

Important: You must specify the search, domain and attrs fields for ldapfilter to work properly.

PREVIOUS
The ldapsearch command
  NEXT
The ldapfetch command

This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7


Comments

This REALLY needs an explanation as to how it is different from this:
http://docs.splunk.com/Documentation/SA-LdapSearch/latest/User/Theldapfetchcommand

Woodcock
January 29, 2016

Hi Rtoloczk,<br /><br />The example was in error. The backslashes were not escaped (and should be) and the &lt;/&gt; strings were the result of a character stripping. I've fixed the example so that the regex should work now. Thanks for catching it!

Malmoore
December 10, 2014

When I attempt to use the last example for fetching the displayName of GPO's that are linked to OUs I get the error:<br /><br />Error in 'rex' command: Encountered the following error while compiling the regex '\[LDAP://(?&lt;gpo&gt;[^;]+);\d+\]': Regex: syntax error in subpattern name (missing terminator)

Rtoloczk
December 10, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters