Splunk® Supporting Add-on for Active Directory

Deploy and Use the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)

This documentation does not apply to the most recent version of Splunk® Supporting Add-on for Active Directory. For documentation on the most recent version, go to the latest release.

The ldapgroup command

Overview

The 'ldapgroup' command filters and augments events with information from Active Directory. It follows a 'search' or similar command in the pipeline so that you can feed it events. A sample usage follows:

|ldapsearch domain=SPL search="(objectClass=group)"|ldapgroup

There are several possible arguments:

Argument Description
groupdn=<field-name> Specifies the field to use as the distinguished name of the group to expand.
domain=<domain> Specifies the name of a configuration stanza in ldap.conf. If you do not specify a domain, the command uses the default stanza.
debug=<boolean> Specifies whether or not ldapgroup should write debug log data. When set to T, specifies that debug logging should occur.
logging_level=(CRITICAL|ERROR|WARNING|INFO|DEBUG) Specifies the logging level for the $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log file. Splunk can access this file with the "index=_internal sourcetype=SA-ldapsearch" search and exposes the following fields:

File: Full pathname of the source file where the logging call was made.
Level: Level of the logging call that was made; one of CRITICAL, ERROR, WARNING, INFO, or DEBUG.
Line: Line number in the source file where the logging call was made.
Pid: ID of the process that made the logging call.
log_source: String of the form "Pid=<Pid>, File=<File>, Line=<Line>".
message: Full text of the logged message.

ldapgroup writes its debug logs to $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log. Splunk indexes and rotates this file by default.

Once it completes execution, ldapgroup adds five additional fields to each event:

Field Description
member_dn The list of Member Distinguished Names (DNs).
member_domain The NetBIOS domain(s) for the member DN(s).
member_name The sAMAccountName (SAM account name) for the member DN(s).
member_type The type of membership (one of PRIMARY, DIRECT or NESTED with the group DN).
mv_combo all of the above, combined into a single field separated by ###.

Examples

To display a table of all groups with their members and membership type:

|ldapsearch domain=SPL search="(objectClass=group)"|table cn,distinguishedName|ldapgroup|table cn,member_dn,member_type

Last modified on 03 November, 2016
The ldapfetch command   The ldaptestconnection command

This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.2.0, 2.2.1, 3.0.0, 3.0.1, 3.0.2, 3.0.3

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters