Documentation > Splunk > Admin Manual > Monitor Active Directory

Admin Manual

 


Welcome to Splunk administration
What to do first
Use Splunk Web
Meet Splunk apps
Configure Splunk
Indexing with Splunk
Add data and configure inputs
Set up forwarding and receiving
Configure event processing
Configure event timestamping
Configure indexed field extraction
Manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Deploy to other Splunk instances
Set up distributed search
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference
Troubleshooting

Monitor Active Directory

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Monitor Active Directory

Configure Active Directory monitoring as an input to monitor changes to portions - or all - of your Active Directory forest, and collect user and machine metadata.

Once you've enabled this feature and restarted Splunk it will take a baseline snapshot of your AD data and the AD schema. It'll use this data to get a starting point against which to monitor. This process might take a little time before it is complete.

Powerful lookups from your AD data

You can use this feature combined with dynamic list lookups to decorate or modify events with any information available in AD. Read an overview of how in this topic on the Splunk Community Wiki.

Things to know

  • This feature is only available on Windows platforms.
  • The admon.exe process can run under a full Splunk install or within a forwarder.
  • The machine the admon.exe process is running on must belong to the domain you want to monitor.
  • The user Splunk is running as must be part of the domain too; whatever rights that user has to query AD will filter the results Splunk can see.
  • You can use the Windows permissions of the user admon.exe is running as to control the level of access Splunk should have and what it should be allowed to see. Note that changes to domain policy as set in Group Policy Editor can further restrict access.

For more details, see this topic about choosing the user Splunk should run as in the Installation Manual.

Configure monitoring

You can configure AD monitoring either in Splunk Web or by editing configuration files.

Configure AD monitoring with Splunk Web

1. Click Manager in the upper right-hand corner of Splunk Web.

2. Under System configurations, click Data Inputs.

3. Click Active Directory monitoring.

4. Click Add new to add an input.

5. Enter a unique Name for the AD monitor.

6. Either enter a Target domain controller or let Splunk discover the nearest domain controller automatically.

7. Either select a Starting node or Splunk will start monitoring from the highest available part of the tree.

8. Select Monitor subtree, if you want Splunk to monitor all child nodes.

10. Click Save.

Configure AD monitoring in inputs.conf and admon.conf

Be sure to edit copies of these configuration files in a \local directory. If you edit them in the default directory, any changes you make will be overwritten when you upgrade Splunk. For more information about configuration file precedence, refer to "About configuration files" in this manual.

1. Make a copy of $SPLUNK_HOME\etc\system\default\inputs.conf and put it in $SPLUNK_HOME\etc\system\local\inputs.conf.

2. Edit the copy and enable the scripted input [script://$SPLUNK_HOME\bin\scripts\splunk-admon.path] by setting the value of disabled to 0.

3. Next, make a similar copy of $SPLUNK_HOME\etc\system\default\admon.conf and put it in $SPLUNK_HOME\etc\system\local\admon.conf.

4. Edit it using the information later in this topic. By default, when enabled, it will index the first domain controller that the admon.exe process can attach to. If that is acceptable, no further configuration is necessary; it will just work.

Settings in admon.conf

monitorSubtree tells Splunk how much of the target container to index. A value of 0 will tell Splunk to only index the target container. A value of of 1 (the default) will tell Splunk to enumerate all sub-containers and domains it has access to.

targetDC sets the unique name of the domain controller host you want to monitor. Specify a unique name if:

  • you have a very large AD and you only want to monitor information in a particular branch (ou), subdomain, etc.
  • you want to limit your scope to only a certain subdomain of your tree.
  • you have a specific (read-only) domain controller that is offered for this purpose in a high security environment.
  • if you have multiple domain forests in a trusted configuration, you can use this to target a different tree than the one where Splunk resides.
  • if you want to run multiple instances of admon.exe to target multiple Domain Controllers, for example, to monitor replication health across a distributed environment.

If you want to target multiple DCs, add another [<uniquename>TargetDC] stanza for a target in that tree.

startingNode is a fully qualified LDAP name (for example "LDAP://OU=Computers,DC=ad,DC=splunk,DC=com") where Splunk will begin its indexing. Splunk starts there and enumerates down to sub-containers, depending on the configuration of monitorSubtree above. If you don't specify something, it will start at the highest root domain in the tree it can access.

The startingNode must be within the scope of the DC you are targeting to be successful.

Example AD monitoring configurations

You can monitor monitor a target DC that is a higher root level than an OU you want to target, for example:

The OU = computers in the eng.ad.splunk.com subdomain.

Target your DC to be one of the controllers in ad.splunk.com. The reason one might do this is if you want the schema for the entire tree, not just a sub-domain. Then set the starting node to be an OU in eng.ad.splunk.com to audit machines being added and removed from that OU. 

[default]
monitorSubtree = 1
disabled = 0

[DefaultTargetDC]
targetDC = pri01.eng.ad.splunk.com
startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com

You can monitor multiple DCs, for example: 

[default]
monitorSubtree = 1
disabled = 0

[DefaultTargetDC]
targetDC = pri01.eng.ad.splunk.com
startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com

[SecondTargetDC]
targetDC = pri02.eng.ad.splunk.com
startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com

Sample admon output

The following are examples of the types of admon events that Splunk indexes. Some of the content of these events has been obscured/altered for publication purposes.

Delete event

An object has been marked for deletion. Even though admonEventType=Update, notice the isDeleted=True at the end of the event. 

2/1/10
3:11:16.095 PM                 
 
02/01/2010 15:11:16.0954
dcName=stuff.splunk.com
admonEventType=Update
Names:
                name=SplunkTest
DEL:blah
                distinguishedName=OU=SplunkTest\0ADEL:blah,CN=Deleted Objects
DEL:blah
Object Details:
                objectGUID=blah
                whenChanged=20100128233113.0Z
                whenCreated=20100128232712.0Z
                objectClass=top|organizationalUnit
Event Details:
                uSNChanged=2922895
                uSNCreated=2922846
                instanceType=4
Additional Details:
                dSCorePropagationData=20100128233113.0Z|20100128233113.0Z|20100128233113.0Z|16010108151056.0Z
                lastKnownParent=stuff
                isDeleted=TRUE

Update event

Update type event: admonEventType=Update An object has been changed, this includes a change to any of the object's fields. 

           
2/1/10
3:17:18.009 PM                 
                
02/01/2010 15:17:18.0099
dcName=stuff.splunk.com
admonEventType=Update
Names:
                objectCategory=CN=Computer,CN=Schema,CN=Configuration
                name=stuff2
                displayName=stuff2
                distinguishedName=CN=stuff2,CN=Computers
Object Details:
                sAMAccountType=805306369
                sAMAccountName=stuff2
                logonCount=4216
                accountExpires=9223372036854775807
                objectSid=S-1-5-21-3436176729-1841096389-3700143990-1190
                primaryGroupID=515
                pwdLastSet=129091141316250000
                lastLogon=129095398380468750
                lastLogoff=0
                badPasswordTime=0
                countryCode=0
                codePage=0
                badPwdCount=0
                userAccountControl=4096
                objectGUID=blah
                whenChanged=20100128010211.0Z
                whenCreated=20081125172950.0Z
                objectClass=top|person|organizationalPerson|user|computer
Event Details:
                uSNChanged=2921916
                uSNCreated=1679623
                instanceType=4
Additional Details:
                isCriticalSystemObject=FALSE
                servicePrincipalName=TERMSRV/stuff2|TERMSRV blah
                dNSHostName=stuff2.splunk.com
                operatingSystemServicePack=Service Pack 2
                operatingSystemVersion=6.0 (6002)
                operatingSystem=Windows Vista? Ultimate
localPolicyFlags=0

Sync event

Sync type event: admonEventType=Sync Represents the instance of one object, and its field values. Splunk syncs up to the very beginning, trying to capture all of the objects from the last recorded Update Sequence Number (USN).

Note: When you restart either Splunk or the splunk-admon.exe process, Splunk will log an extra 'sync' event. 

2/1/10
3:11:09.074 PM                 
 
02/01/2010 15:11:09.0748
dcName=ftw.ad.splunk.com
admonEventType=Sync
Names:
                name=NTDS Settings
                distinguishedName=CN=NTDS Settings,CN=stuff,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration
                cn=NTDS Settings
                objectCategory=CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=ad,DC=splunk,DC=com
                fullPath=LDAP://stuff.splunk.com/<GUID=bla bla bla>
                CN=NTDS Settings
Object Details:
                whenCreated=10:15.04 pm, Tue 02/12/2008
                whenChanged=10:23.00 pm, Tue 02/12/2008
                objectGUID=bla bla bla
                objectClass=top|applicationSettings|nTDSDSA
                classPath=nTDSDSA
Event Details:
                instanceType=4
Additional Details:
                systemFlags=33554432
                showInAdvancedViewOnly=TRUE
                serverReferenceBL=CN=stuff,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System
                options=1
                msDS-hasMasterNCs=DC=ForestDnsZones|DC=DomainDnsZones|CN=Schema,CN=Configuration|CN=Configuration
                msDS-HasInstantiatedNCs=
                msDS-HasDomainNCs=blah
                msDS-Behavior-Version=2
                invocationId=bla bla bla
                hasMasterNCs=CN=Schema,CN=Configuration|CN=Configuration
                dSCorePropagationData=
                dMDLocation=CN=Schema,CN=Configuration
                nTSecurityDescriptor=NT AUTHORITY\Authenticated Users
SchemaName=LDAP://stuff.splunk.com/schema/nTDSDSA

Schema event

Schema type event: admonEventType=schema The definitions of every object in the Active Directory structure. Listed for each object: which fields are available, required, and optional. 

02/01/2010 15:11:16.0518
dcName=LDAP://stuff.splunk.com/
admonEventType=schema
className=msExchProtocolCfgSMTPIPAddress
classCN=ms-Exch-Protocol-Cfg-SMTP-IP-Address
instanceType=MandatoryProperties
nTSecurityDescriptor=MandatoryProperties
objectCategory=MandatoryProperties
objectClass=MandatoryProperties
adminDescription=OptionalProperties
adminDisplayName=OptionalProperties
allowedAttributes=OptionalProperties
allowedAttributesEffective=OptionalProperties
allowedChildClasses=OptionalProperties
allowedChildClassesEffective=OptionalProperties
bridgeheadServerListBL=OptionalProperties
canonicalName=OptionalProperties
cn=OptionalProperties
createTimeStamp=OptionalProperties
description=OptionalProperties
directReports=OptionalProperties
displayName=OptionalProperties
displayNamePrintable=OptionalProperties
distinguishedName=OptionalProperties
dSASignature=OptionalProperties
dSCorePropagationData=OptionalProperties
extensionName=OptionalProperties
flags=OptionalProperties
fromEntry=OptionalProperties
frsComputerReferenceBL=OptionalProperties
fRSMemberReferenceBL=OptionalProperties
fSMORoleOwner=OptionalProperties
heuristics=OptionalProperties
isCriticalSystemObject=OptionalProperties
isDeleted=OptionalProperties
isPrivilegeHolder=OptionalProperties
lastKnownParent=OptionalProperties
legacyExchangeDN=OptionalProperties
managedObjects=OptionalProperties
masteredBy=OptionalProperties
memberOf=OptionalProperties
modifyTimeStamp=OptionalProperties
mS-DS-ConsistencyChildCount=OptionalProperties
mS-DS-ConsistencyGuid=OptionalProperties
msCOM-PartitionSetLink=OptionalProperties
msCOM-UserLink=OptionalProperties
msDFSR-ComputerReferenceBL=OptionalProperties
msDFSR-MemberReferenceBL=OptionalProperties
msDS-Approx-Immed-Subordinates=OptionalProperties
msDs-masteredBy=OptionalProperties
msDS-MembersForAzRoleBL=OptionalProperties
msDS-NCReplCursors=OptionalProperties
msDS-NCReplInboundNeighbors=OptionalProperties
msDS-NCReplOutboundNeighbors=OptionalProperties
msDS-NonMembersBL=OptionalProperties
msDS-ObjectReferenceBL=OptionalProperties
msDS-OperationsForAzRoleBL=OptionalProperties
msDS-OperationsForAzTaskBL=OptionalProperties
msDS-ReplAttributeMetaData=OptionalProperties
msDS-ReplValueMetaData=OptionalProperties
msDS-TasksForAzRoleBL=OptionalProperties
msDS-TasksForAzTaskBL=OptionalProperties
msExchADCGlobalNames=OptionalProperties
msExchALObjectVersion=OptionalProperties
msExchHideFromAddressLists=OptionalProperties
msExchInconsistentState=OptionalProperties
msExchIPAddress=OptionalProperties
msExchTurfList=OptionalProperties
msExchUnmergedAttsPt=OptionalProperties
msExchVersion=OptionalProperties
msSFU30PosixMemberOf=OptionalProperties
name=OptionalProperties
netbootSCPBL=OptionalProperties
nonSecurityMemberBL=OptionalProperties
objectGUID=OptionalProperties
objectVersion=OptionalProperties
otherWellKnownObjects=OptionalProperties
ownerBL=OptionalProperties
partialAttributeDeletionList=OptionalProperties
partialAttributeSet=OptionalProperties
possibleInferiors=OptionalProperties
proxiedObjectName=OptionalProperties
proxyAddresses=OptionalProperties
queryPolicyBL=OptionalProperties
replicatedObjectVersion=OptionalProperties
replicationSignature=OptionalProperties
replPropertyMetaData=OptionalProperties
replUpToDateVector=OptionalProperties
repsFrom=OptionalProperties
repsTo=OptionalProperties
revision=OptionalProperties
sDRightsEffective=OptionalProperties
serverReferenceBL=OptionalProperties
showInAddressBook=OptionalProperties
showInAdvancedViewOnly=OptionalProperties
siteObjectBL=OptionalProperties
structuralObjectClass=OptionalProperties
subRefs=OptionalProperties
subSchemaSubEntry=OptionalProperties
systemFlags=OptionalProperties
unmergedAtts=OptionalProperties
url=OptionalProperties
uSNChanged=OptionalProperties
uSNCreated=OptionalProperties
uSNDSALastObjRemoved=OptionalProperties
USNIntersite=OptionalProperties
uSNLastObjRem=OptionalProperties
uSNSource=OptionalProperties
wbemPath=OptionalProperties
wellKnownObjects=OptionalProperties
whenChanged=OptionalProperties
whenCreated=OptionalProperties
wWWHomePage=OptionalProperties

Troubleshooting Active Directory logging

If you encounter problems receiving Active Directory events, or are not getting the results you expect, you can enable debugging in Splunk's logging engine in order to get additional data.

In order to enable debugging for Admon, you'll need to set two parameters.

1. Edit log.cfg in %SPLUNK_HOME\etc. Add the following parameter: 

[splunkd]
 category.ExecProcessor=DEBUG

2. Edit log-cmdline.cfg, also in %SPLUNK_HOME%\etc. Edit the following parameter: 

 category.splunk-admon=DEBUG

3. Restart Splunk: 

C:\Program Files\Splunk\bin> splunk restart

4. Once Splunk has restarted, let it run for a few minutes until you see debug log information coming into Splunk.

Note: You can search Splunk's logfiles within Splunk by supplying index="_internal" as part of your search string. Review this topic on Splunk log files for additional information.

5. Once enough debug logging has been collected, send a diag to Splunk Support: 

C:\Program Files\Splunk\bin> splunk diag

Note: Remember to revert back to the default settings below once you finish troubleshooting.

In log.cfg: 

category.ExecProcessor=WARN

In log-cmdline.cfg: 

category.splunk-admon=INFO

Note: Any changes made in log.cfg are overwritten when you upgrade Splunk. Create a log-local.cfg for your specific needs to avoid this problem.

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around monitoring AD with Splunk.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.1.5/Admin/AuditActiveDirectory"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.


Comments

In release 4.2, the topics on monitoring data were moved to a new manual, called "Getting Data In". Please look here for the 4.2 version of this topic:

http://www.splunk.com/base/Documentation/latest/Data/AuditActiveDirectory

Sgoodman
July 5, 2011

This document is not included in the 4.2.x versions of Splunk documentation. Is this still supported in 4.2.x?

Jwebster splunk
July 5, 2011

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!