Monitor Active Directory
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Monitor Active Directory
Configure Active Directory monitoring as an input to monitor changes to portions of, or all of, your AD forest and collect user and machine metadata.
Once you've enabled this feature and restart Splunk it will take a baseline snapshot of your AD data and the AD schema. It'll use this data to get a starting point against which to monitor. This process is throttled, so it won't overwhelm your connection if you're auditing a remote AD instance, but it might take a little time before it is complete.
Powerful lookups from your AD data
You can use this feature combined with dynamic list lookups to decorate or modify events with any information available in AD. Read an overview of how in this topic on the Splunk Community Wiki.
Things to know
- This feature is only available on Windows platforms, and you must have the Windows app enabled for it to work.
- The admon.exe process can run under a full Splunk install or within a forwarder.
- The machine the admon.exe process is running on must belong to the domain you want to monitor.
- The user Splunk is running as must be part of the domain too; whatever rights that user has to query to AD will filter the results Splunk can see.
- You can use the Windows permissions of the user admon.exe is running as to control the level of access Splunk should have and what it should be allowed to see. Note that the AD user rights policy set in Group Policy Manager can further restrict access.
For more details, see this topic about choosing the user Splunk should run as in the Installation Manual.
Configure AD monitoring in inputs.conf and admon.conf
Because this feature is included in the Windows app, you must configure the relevant files within that app's directory structure, so be sure you're editing the files in the correct location.
1. Make a copy of $SPLUNK_HOME\etc\apps\windows\default\inputs.conf and put it in $SPLUNK_HOME\etc\apps\windows\local\inputs.conf.
2. Edit the copy and enable the scripted input [script://$SPLUNK_HOME\bin\scripts\splunk-admon.py] by setting the value of disabled to 0.
3. Next, make a similar copy of $SPLUNK_HOME\etc\apps\windows\default\admon.conf and put it in $SPLUNK_HOME\etc\apps\windows\local\admon.conf.
4. Edit it using the information later in this topic. By default, when enabled, it will index the first domain controller that the admon.exe process can attach to. If that is acceptable, no further configuration is necessary; it will just work.
Settings in admon.conf
monitorSubtree = 0 will tell Splunk to only index the target container. A value of of 1 (the default) will tell Splunk to enumerate all sub-containers and domains it has access to.
targetDC = unique name of the domain controller host you want to monitor. Specify a unique name if:
- you have a very large AD and you only want to monitor information in a particular branch (ou), subdomain, etc.
- you want to limit your scope to only a certain subdomain of your tree.
- you have a specific (read-only) domain controller that is offered for this purpose in a high security environment.
- if you have multiple domain forests in a trusted configuration, you can use this to target a different tree than the one where Splunk resides.
- if you want to run multiple instances of admon.exe to target multiple Domain Controllers, for example, to monitor replication health across a distributed environment.
If you want to target multiple DCs, add another [<uniquename>TargetDC] stanza for a target in that tree.
startingNode = a fully qualified LDAP name (for example "LDAP://OU=Computers,DC=ad,DC=splunk,DC=com") where Splunk will begin its indexing. Splunk starts there and enumerates down to sub-containers, depending on the configuration of monitorSubtree, above. If you don't specify something, it will start at the highest root domain in the tree it can access.
The startingNode must be within the scope of the DC you are targeting to be successful.
Example AD monitoring configurations
You can monitor monitor a target DC that is a higher root level than an OU you want to target, for example:
The OU = computers in the eng.ad.splunk.com subdomain.
Target your DC to be one of the controllers in ad.splunk.com. The reason one might do this is if you want the schema for the entire tree, not just a sub-domain. Then set the starting node to be an OU in eng.ad.splunk.com to audit machines being added and removed from that OU.
[default] monitorSubtree = 1 disabled = 0 [DefaultTargetDC] targetDC = pri01.eng.ad.splunk.com startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com
You can monitor multiple DCs, for example:
[default] monitorSubtree = 1 disabled = 0 [DefaultTargetDC] targetDC = pri01.eng.ad.splunk.com startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com [SecondTargetDC] targetDC = pri02.eng.ad.splunk.com startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com
Sample admon output
There are four types of events admon will create in your Splunk during normal operation: schema, sync, update and delete.
- a schema event is created for each object type, listing all the available fields and whether they are required or optional. This also detects schema extensions.
- sync events are the initial load-in event for each object as Splunk indexes the current state of the AD instance. There will be one per object, per DC.
- update events occur as admon detects changes in the instance and records them. Changes are detected by watching for increments in the USN of the object. Note that although admon only requests changed fields, additional fields may be marked as changed automatically by AD.
- delete events are a special kind of update event, detected by the field isDeleted being a changed field (and set to True)
Note the examples given below have been slightly altered for documentation purposes.
Schema event
Schema type event: admonEventType=schema The definitions of every object in the Active Directory structure. Listed for each object: which fields are available, required, and optional.
02/01/2010 15:11:16.0518 dcName=LDAP://stuff.splunk.com/ admonEventType=schema className=msExchProtocolCfgSMTPIPAddress classCN=ms-Exch-Protocol-Cfg-SMTP-IP-Address instanceType=MandatoryProperties nTSecurityDescriptor=MandatoryProperties objectCategory=MandatoryProperties objectClass=MandatoryProperties adminDescription=OptionalProperties adminDisplayName=OptionalProperties allowedAttributes=OptionalProperties allowedAttributesEffective=OptionalProperties allowedChildClasses=OptionalProperties allowedChildClassesEffective=OptionalProperties bridgeheadServerListBL=OptionalProperties canonicalName=OptionalProperties cn=OptionalProperties createTimeStamp=OptionalProperties description=OptionalProperties directReports=OptionalProperties displayName=OptionalProperties displayNamePrintable=OptionalProperties distinguishedName=OptionalProperties dSASignature=OptionalProperties dSCorePropagationData=OptionalProperties extensionName=OptionalProperties flags=OptionalProperties fromEntry=OptionalProperties frsComputerReferenceBL=OptionalProperties fRSMemberReferenceBL=OptionalProperties fSMORoleOwner=OptionalProperties heuristics=OptionalProperties isCriticalSystemObject=OptionalProperties isDeleted=OptionalProperties isPrivilegeHolder=OptionalProperties lastKnownParent=OptionalProperties legacyExchangeDN=OptionalProperties managedObjects=OptionalProperties masteredBy=OptionalProperties memberOf=OptionalProperties modifyTimeStamp=OptionalProperties mS-DS-ConsistencyChildCount=OptionalProperties mS-DS-ConsistencyGuid=OptionalProperties msCOM-PartitionSetLink=OptionalProperties msCOM-UserLink=OptionalProperties msDFSR-ComputerReferenceBL=OptionalProperties msDFSR-MemberReferenceBL=OptionalProperties msDS-Approx-Immed-Subordinates=OptionalProperties msDs-masteredBy=OptionalProperties msDS-MembersForAzRoleBL=OptionalProperties msDS-NCReplCursors=OptionalProperties msDS-NCReplInboundNeighbors=OptionalProperties msDS-NCReplOutboundNeighbors=OptionalProperties msDS-NonMembersBL=OptionalProperties msDS-ObjectReferenceBL=OptionalProperties msDS-OperationsForAzRoleBL=OptionalProperties msDS-OperationsForAzTaskBL=OptionalProperties msDS-ReplAttributeMetaData=OptionalProperties msDS-ReplValueMetaData=OptionalProperties msDS-TasksForAzRoleBL=OptionalProperties msDS-TasksForAzTaskBL=OptionalProperties msExchADCGlobalNames=OptionalProperties msExchALObjectVersion=OptionalProperties msExchHideFromAddressLists=OptionalProperties msExchInconsistentState=OptionalProperties msExchIPAddress=OptionalProperties msExchTurfList=OptionalProperties msExchUnmergedAttsPt=OptionalProperties msExchVersion=OptionalProperties msSFU30PosixMemberOf=OptionalProperties name=OptionalProperties netbootSCPBL=OptionalProperties nonSecurityMemberBL=OptionalProperties objectGUID=OptionalProperties objectVersion=OptionalProperties otherWellKnownObjects=OptionalProperties ownerBL=OptionalProperties partialAttributeDeletionList=OptionalProperties partialAttributeSet=OptionalProperties possibleInferiors=OptionalProperties proxiedObjectName=OptionalProperties proxyAddresses=OptionalProperties queryPolicyBL=OptionalProperties replicatedObjectVersion=OptionalProperties replicationSignature=OptionalProperties replPropertyMetaData=OptionalProperties replUpToDateVector=OptionalProperties repsFrom=OptionalProperties repsTo=OptionalProperties revision=OptionalProperties sDRightsEffective=OptionalProperties serverReferenceBL=OptionalProperties showInAddressBook=OptionalProperties showInAdvancedViewOnly=OptionalProperties siteObjectBL=OptionalProperties structuralObjectClass=OptionalProperties subRefs=OptionalProperties subSchemaSubEntry=OptionalProperties systemFlags=OptionalProperties unmergedAtts=OptionalProperties url=OptionalProperties uSNChanged=OptionalProperties uSNCreated=OptionalProperties uSNDSALastObjRemoved=OptionalProperties USNIntersite=OptionalProperties uSNLastObjRem=OptionalProperties uSNSource=OptionalProperties wbemPath=OptionalProperties wellKnownObjects=OptionalProperties whenChanged=OptionalProperties whenCreated=OptionalProperties wWWHomePage=OptionalProperties
Sync event
Sync type event: admonEventType=Sync Represents the instance of one object, and its field values. Splunk syncs up to the very beginning, trying to capture all of the objects from the last recorded USN.
2/1/10
3:11:09.074 PM
02/01/2010 15:11:09.0748
dcName=ftw.ad.splunk.com
admonEventType=Sync
Names:
name=NTDS Settings
distinguishedName=CN=NTDS Settings,CN=stuff,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration
cn=NTDS Settings
objectCategory=CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=ad,DC=splunk,DC=com
fullPath=LDAP://stuff.splunk.com/<GUID=bla bla bla>
CN=NTDS Settings
Object Details:
whenCreated=10:15.04 pm, Tue 02/12/2008
whenChanged=10:23.00 pm, Tue 02/12/2008
objectGUID=bla bla bla
objectClass=top|applicationSettings|nTDSDSA
classPath=nTDSDSA
Event Details:
instanceType=4
Additional Details:
systemFlags=33554432
showInAdvancedViewOnly=TRUE
serverReferenceBL=CN=stuff,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System
options=1
msDS-hasMasterNCs=DC=ForestDnsZones|DC=DomainDnsZones|CN=Schema,CN=Configuration|CN=Configuration
msDS-HasInstantiatedNCs=
msDS-HasDomainNCs=blah
msDS-Behavior-Version=2
invocationId=bla bla bla
hasMasterNCs=CN=Schema,CN=Configuration|CN=Configuration
dSCorePropagationData=
dMDLocation=CN=Schema,CN=Configuration
nTSecurityDescriptor=NT AUTHORITY\Authenticated Users
SchemaName=LDAP://stuff.splunk.com/schema/nTDSDSA
Update event
Update type event: admonEventType=Update An object has been changed, this includes a change to any of the object's fields.
2/1/10
3:17:18.009 PM
02/01/2010 15:17:18.0099
dcName=ftw.ad.splunk.com
admonEventType=Update
Names:
objectCategory=CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=splunk,DC=com
name=THE
displayName=THE$
distinguishedName=CN=THE,CN=Computers,DC=ad,DC=splunk,DC=com
cn=THE
Object Details:
sAMAccountType=805306369
sAMAccountName=THE$
logonCount=4216
accountExpires=9223372036854775807
objectSid=S-1-5-21-3436176729-1841096389-3700143990-1190
primaryGroupID=515
pwdLastSet=129091141316250000
lastLogon=129095398380468750
lastLogoff=0
badPasswordTime=0
countryCode=0
codePage=0
badPwdCount=0
userAccountControl=4096
objectGUID=5608e9b5-93be-284a-558f-cabb70f647a1
whenChanged=20100128010211.0Z
whenCreated=20081125172950.0Z
objectClass=top|person|organizationalPerson|user|computer
Event Details:
uSNChanged=2921916
uSNCreated=1679623
instanceType=4
Additional Details:
isCriticalSystemObject=FALSE
servicePrincipalName=TERMSRV/THE|TERMSRV/the.ad.splunk.com|HOST/THE|HOST/the.ad.splunk.com
dNSHostName=the.ad.splunk.com
operatingSystemServicePack=Service Pack 2
operatingSystemVersion=6.0 (6002)
operatingSystem=Windows Vista? Ultimate
localPolicyFlags=0
Delete event
An object has been marked for deletion. Even though admonEventType=Update, notice the isDeleted=True at the end of the event.
2/1/10
3:11:16.095 PM
02/01/2010 15:11:16.0954
dcName=ftw.ad.splunk.com
admonEventType=Update
Names:
name=SplunkTest
DEL:08ddfbb9-00a5-42fd-a729-4d9fcbdfe8ec
distinguishedName=OU=SplunkTest\0ADEL:08ddfbb9-00a5-42fd-a729-4d9fcbdfe8ec,CN=Deleted Objects,DC=ad,DC=splunk,DC=com
ou=SplunkTest
DEL:08ddfbb9-00a5-42fd-a729-4d9fcbdfe8ec
Object Details:
objectGUID=807abf9b-dd00-a542-fd29-4d9fcbdfe8ec
whenChanged=20100128233113.0Z
whenCreated=20100128232712.0Z
objectClass=top|organizationalUnit
Event Details:
uSNChanged=2922895
uSNCreated=2922846
instanceType=4
Additional Details:
dSCorePropagationData=20100128233113.0Z|20100128233113.0Z|20100128233113.0Z|16010108151056.0Z
lastKnownParent=DC=ad,DC=splunk,DC=com
isDeleted=TRUE
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.