Splunk® App for Windows Infrastructure

Deploy and Use the Splunk App for Windows Infrastructure

Download manual as PDF

Download topic as PDF

Configure Active Directory audit policy

This topic discusses changing the Active Directory audit policy to allow the domain controllers in your Active Directory to generate the needed events and logs for the Splunk App for Windows Infrastructure.

Active Directory audit policy

By default, Active Directory does not automatically audit certain security events. You must enable auditing of these events so that your domain controllers log them into the Security event log channel.

You do this by creating a Group Policy object (GPO) and deploying that GPO to all domain controllers (DCs) in your AD environment. Once you activate the GPO, your DCs log these security events into the Security event log.

Then, you install universal forwarders (as deployment clients) to the domain controllers and deploy the appropriate Active Directory add-ons into those clients. They collect the logs and forward them to the central Splunk App for Windows Infrastructure indexers.

This topic shows you how to create individual Group Policy objects (GPOs) for both sets of settings. If you wish, you can combine both the PowerShell and audit settings into a single GPO. For ease of administration, you should create and deploy these GPOs separately from other GPOs.

Important information on security event auditing and indexing volume

When you enable auditing of the Security Event Log on your domain controllers, the DCs generate a lot of data. These events significantly increase indexing volume and might cause indexing license violations. You might also see decreased performance on your domain controllers based on how much additional data the servers generate.

If you are concerned about the impact that enabling security event auditing might have on your indexing volume, you can tweak policy settings to generate only the data that is important to you. Refer to the table below to learn about which policy settings generate which event types, and how the Splunk App for Windows Infrastructure uses those events to populate its dashboards, reports and lookups.

If you choose to disable certain policy settings in an effort to curb indexing volume, you directly affect how much data gets sent to the Splunk App for Windows Infrastructure. The table below lists what data you do not collect if you decide not to enable a particular policy setting. This is not an all-inclusive list - the app correlates some lookups across various policy settings, as multiple events often derive a single knowledge object. Failure to enable all of the policy settings might cause the Splunk App for Windows Infrastructure to display incomplete or incorrect knowledge objects in its dashboards and reports.

Policy setting: Required? What the Splunk App for Windows Infrastructure uses it for:
Audit Account Logon Events Yes Administrator Audit dashboards
Security->Logon dashboards
Security->Reports->New (Computer or Domain) Accounts
Session ID-to-User (tSessions) lookup
Computer-to-IP Address (tHostinfo) lookup
Audit Account Management No Administrator Audit dashboards
Change Management dashboards
Audit Logon Events No Administrator Audit dashboards
Logon and access information
Audit Object Access No Administrator Audit dashboards
Information on who changed a GPO and when
Audit Policy Change No Security->Reports->Group Policy Reports
GPO Change Management dashboard
Audit System Events No Directory Services replication events

Advanced Audit Policy settings

You might alternatively want to use the Advanced Audit Policy (AAP) configuration settings to control which events your domain controllers send to the Splunk App for Windows Infrastructure. While Splunk supports this method, it is outside the scope of this document to list all available AAP configuration options.

This is because of the number of available AAP configuration options and the fact that those options change with different Windows versions - for example, the options for the Windows Server 2008 family differ from those in the Windows Server 2012 families. Windows Vista and other workstation-class versions of Windows do not support AAP.

If you need more granularity in the types of audit events you want generated, you can review eventtypes.conf (located in the Splunk App for Windows Infrastructure installation at %SPLUNK_HOME%\etc\apps\splunk_app_windows_infrastructure\default) for the event codes that the app looks for. With that information, you can create a GPO that enables AAP and generates audit events for only those specific event codes.

Note: When you enable AAP, Windows disables configurations for standard Audit Policy.

Enable auditing on Windows Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, and Server 2016

Create a new GPO

  1. From the Windows Start menu, click Start > Administrative Tools > Group Policy Management.
  2. In the left pane, under "Group Policy Management," expand the forest and domain for which you want to set group policy.
  3. Right-click Group Policy objects and select New.
  4. In the dialog window that opens, enter a unique name for your new GPO that you will remember in the Name field, and select None for the Source Starter GPO field.

Edit the GPO to change audit policy

  1. Open the GPO for editing by right-clicking the newly created GPO In the Group Policy Objects window and selecting Edit.
  2. In the GPO editor, select Computer Configuration > Policies > Windows Settings > Security Settings > Local Policy > Audit Policy.
  3. Enable both Success and Failure auditing of the following policy settings:
    • Audit account logon events
    • Audit account management
    • Audit directory service access
    • Audit logon events
    • Audit object access
    • Audit policy change
    • Audit privilege use
    • Audit system events
  4. Close the Group Policy Object Editor window to save your changes.
  5. For windows server 2008, you can verify audit policy is applied or not from the steps mentioned in Security auditing settings are not applied to Windows Vista-based and Window Server 2008-based computers when you deploy a domain-based policy.

Deploy the GPO

  1. In Group Policy Management, in the left pane of the window, right-click on the Domain Controllers item and click Link an existing GPO..."
  2. In the window that appears, select the GPO you created.
  3. Click OK. The GPMC refreshes to show that your GPO is now linked to the Domain Controllers organizational unit.
PREVIOUS
Download and configure the Splunk Add-on for Windows version 6.0.0 or later
  NEXT
Download and configure the Splunk Add-on for Microsoft Active Directory

This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.5.2, 2.0.0


Comments

After configuring the GPO, you may find the audit settings aren't applied (from cmd line, run rsop.msc) and check. Symptoms may include no group data when running the "customize features"

Detecting Groups ...
Active Directory: Groups not found.

Log file is here: C:\Windows\security\logs\winlogon.log

If you see this: Legacy audit settings are disabled. Skipped configuration of legacy audit settings.

This is the fix:
https://support.microsoft.com/en-us/help/921468/security-auditing-settings-are-not-applied-to-windows-vista-based-and

Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.

"Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings"
Set to disabled.

#reload group policy and splunk

Nwieseler
July 20, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters