Topics

| pdf version

Welcome

What to do first

Start Splunk

Meet Splunk Web and Splunk Apps

Before you configure

Add data and configure inputs

Indexing and event processing

Timestamps

Add and manage users

Manage indexes

Define alerts

Set up backups and retention policies

Configure data security

Set up forwarding and receiving

Deploy to other Splunk instances

Set up distributed search

Manage search jobs

Use Splunk's command line interface (CLI)

Configuration file reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Monitor Active Directory

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9

Monitor Active Directory

Configure Active Directory monitoring as an input to monitor changes to portions of, or all of, your AD forest and collect user and machine metadata.

Once you've enabled this feature and restart Splunk it will take a baseline snapshot of your AD data and the AD schema. It'll use this data to get a starting point against which to monitor. This process is throttled, so it won't overwhelm your connection if you're auditing a remote AD instance, but it might take a little time before it is complete.

Powerful lookups from your AD data

You can use this feature combined with dynamic list lookups to decorate or modify events with any information available in AD. Read an overview of how in this topic on the Splunk Community Wiki.

Things to know

  • This feature is only available on Windows platforms, and you must have the Windows app enabled for it to work.
  • The admon.exe process can run under a full Splunk install or within a forwarder.
  • The machine the admon.exe process is running on must belong to the domain you want to monitor.
  • The user Splunk is running as must be part of the domain too; whatever rights that user has to query to AD will filter the results Splunk can see.
  • You can use the Windows permissions of the user admon.exe is running as to control the level of access Splunk should have and what it should be allowed to see. Note that the AD user rights policy set in Group Policy Manager can further restrict access.

For more details, see this topic about choosing the user Splunk should run as in the Installation Manual.

Configure AD monitoring in inputs.conf and admon.conf

Because this feature is included in the Windows app, you must configure the relevant files within that app's directory structure, so be sure you're editing the files in the correct location.

1. Make a copy of $SPLUNK_HOME\etc\apps\windows\default\inputs.conf and put it in $SPLUNK_HOME\etc\apps\windows\local\inputs.conf.

2. Edit the copy and enable the scripted input [script://$SPLUNK_HOME\bin\scripts\splunk-admon.py] by setting the value of disabled to 0.

3. Next, make a similar copy of $SPLUNK_HOME\etc\apps\windows\default\admon.conf and put it in $SPLUNK_HOME\etc\apps\windows\local\admon.conf.

4. Edit it using the information later in this topic. By default, when enabled, it will index the first domain controller that the admon.exe process can attach to. If that is acceptable, no further configuration is necessary; it will just work.

Settings in admon.conf

monitorSubtree = 0 will tell Splunk to only index the target container. A value of of 1 (the default) will tell Splunk to enumerate all sub-containers and domains it has access to.

targetDC = unique name of the domain controller host you want to monitor. Specify a unique name if:

  • you have a very large AD and you only want to monitor information in a particular branch (ou), subdomain, etc.
  • you want to limit your scope to only a certain subdomain of your tree.
  • you have a specific (read-only) domain controller that is offered for this purpose in a high security environment.
  • if you have multiple domain forests in a trusted configuration, you can use this to target a different tree than the one where Splunk resides.
  • if you want to run multiple instances of admon.exe to target multiple Domain Controllers, for example, to monitor replication health across a distributed environment.

If you want to target multiple DCs, add another [<uniquename>TargetDC] stanza for a target in that tree.

startingNode = a fully qualified LDAP name (for example "LDAP://OU=Computers,DC=ad,DC=splunk,DC=com") where Splunk will begin its indexing. Splunk starts there and enumerates down to sub-containers, depending on the configuration of monitorSubtree, above. If you don't specify something, it will start at the highest root domain in the tree it can access.

The startingNode must be within the scope of the DC you are targeting to be successful.

Example AD monitoring configurations

You can monitor monitor a target DC that is a higher root level than an OU you want to target, for example:

The OU = computers in the eng.ad.splunk.com subdomain.

Target your DC to be one of the controllers in ad.splunk.com. The reason one might do this is if you want the schema for the entire tree, not just a sub-domain. Then set the starting node to be an OU in eng.ad.splunk.com to audit machines being added and removed from that OU. 

[default]
monitorSubtree = 1
disabled = 0

[DefaultTargetDC]
targetDC = pri01.eng.ad.splunk.com
startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com

You can monitor multiple DCs, for example: 

[default]
monitorSubtree = 1
disabled = 0

[DefaultTargetDC]
targetDC = pri01.eng.ad.splunk.com
startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com

[SecondTargetDC]
targetDC = pri02.eng.ad.splunk.com
startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com

Sample admon output

There are four types of events admon will create in your Splunk during normal operation: schema, sync, update and delete.

  • a schema event is created for each object type, listing all the available fields and whether they are required or optional. This also detects schema extensions.
  • sync events are the initial load-in event for each object as Splunk indexes the current state of the AD instance. There will be one per object, per DC.
  • update events occur as admon detects changes in the instance and records them. Changes are detected by watching for increments in the USN of the object. Note that although admon only requests changed fields, additional fields may be marked as changed automatically by AD.
  • delete events are a special kind of update event, detected by the field isDeleted being a changed field (and set to True)

Note the examples given below have been slightly altered for documentation purposes.

Schema event

Schema type event: admonEventType=schema The definitions of every object in the Active Directory structure. Listed for each object: which fields are available, required, and optional. 

02/01/2010 15:11:16.0518
dcName=LDAP://stuff.splunk.com/
admonEventType=schema
className=msExchProtocolCfgSMTPIPAddress
classCN=ms-Exch-Protocol-Cfg-SMTP-IP-Address
instanceType=MandatoryProperties
nTSecurityDescriptor=MandatoryProperties
objectCategory=MandatoryProperties
objectClass=MandatoryProperties
adminDescription=OptionalProperties
adminDisplayName=OptionalProperties
allowedAttributes=OptionalProperties
allowedAttributesEffective=OptionalProperties
allowedChildClasses=OptionalProperties
allowedChildClassesEffective=OptionalProperties
bridgeheadServerListBL=OptionalProperties
canonicalName=OptionalProperties
cn=OptionalProperties
createTimeStamp=OptionalProperties
description=OptionalProperties
directReports=OptionalProperties
displayName=OptionalProperties
displayNamePrintable=OptionalProperties
distinguishedName=OptionalProperties
dSASignature=OptionalProperties
dSCorePropagationData=OptionalProperties
extensionName=OptionalProperties
flags=OptionalProperties
fromEntry=OptionalProperties
frsComputerReferenceBL=OptionalProperties
fRSMemberReferenceBL=OptionalProperties
fSMORoleOwner=OptionalProperties
heuristics=OptionalProperties
isCriticalSystemObject=OptionalProperties
isDeleted=OptionalProperties
isPrivilegeHolder=OptionalProperties
lastKnownParent=OptionalProperties
legacyExchangeDN=OptionalProperties
managedObjects=OptionalProperties
masteredBy=OptionalProperties
memberOf=OptionalProperties
modifyTimeStamp=OptionalProperties
mS-DS-ConsistencyChildCount=OptionalProperties
mS-DS-ConsistencyGuid=OptionalProperties
msCOM-PartitionSetLink=OptionalProperties
msCOM-UserLink=OptionalProperties
msDFSR-ComputerReferenceBL=OptionalProperties
msDFSR-MemberReferenceBL=OptionalProperties
msDS-Approx-Immed-Subordinates=OptionalProperties
msDs-masteredBy=OptionalProperties
msDS-MembersForAzRoleBL=OptionalProperties
msDS-NCReplCursors=OptionalProperties
msDS-NCReplInboundNeighbors=OptionalProperties
msDS-NCReplOutboundNeighbors=OptionalProperties
msDS-NonMembersBL=OptionalProperties
msDS-ObjectReferenceBL=OptionalProperties
msDS-OperationsForAzRoleBL=OptionalProperties
msDS-OperationsForAzTaskBL=OptionalProperties
msDS-ReplAttributeMetaData=OptionalProperties
msDS-ReplValueMetaData=OptionalProperties
msDS-TasksForAzRoleBL=OptionalProperties
msDS-TasksForAzTaskBL=OptionalProperties
msExchADCGlobalNames=OptionalProperties
msExchALObjectVersion=OptionalProperties
msExchHideFromAddressLists=OptionalProperties
msExchInconsistentState=OptionalProperties
msExchIPAddress=OptionalProperties
msExchTurfList=OptionalProperties
msExchUnmergedAttsPt=OptionalProperties
msExchVersion=OptionalProperties
msSFU30PosixMemberOf=OptionalProperties
name=OptionalProperties
netbootSCPBL=OptionalProperties
nonSecurityMemberBL=OptionalProperties
objectGUID=OptionalProperties
objectVersion=OptionalProperties
otherWellKnownObjects=OptionalProperties
ownerBL=OptionalProperties
partialAttributeDeletionList=OptionalProperties
partialAttributeSet=OptionalProperties
possibleInferiors=OptionalProperties
proxiedObjectName=OptionalProperties
proxyAddresses=OptionalProperties
queryPolicyBL=OptionalProperties
replicatedObjectVersion=OptionalProperties
replicationSignature=OptionalProperties
replPropertyMetaData=OptionalProperties
replUpToDateVector=OptionalProperties
repsFrom=OptionalProperties
repsTo=OptionalProperties
revision=OptionalProperties
sDRightsEffective=OptionalProperties
serverReferenceBL=OptionalProperties
showInAddressBook=OptionalProperties
showInAdvancedViewOnly=OptionalProperties
siteObjectBL=OptionalProperties
structuralObjectClass=OptionalProperties
subRefs=OptionalProperties
subSchemaSubEntry=OptionalProperties
systemFlags=OptionalProperties
unmergedAtts=OptionalProperties
url=OptionalProperties
uSNChanged=OptionalProperties
uSNCreated=OptionalProperties
uSNDSALastObjRemoved=OptionalProperties
USNIntersite=OptionalProperties
uSNLastObjRem=OptionalProperties
uSNSource=OptionalProperties
wbemPath=OptionalProperties
wellKnownObjects=OptionalProperties
whenChanged=OptionalProperties
whenCreated=OptionalProperties
wWWHomePage=OptionalProperties


Sync event

Sync type event: admonEventType=Sync Represents the instance of one object, and its field values. Splunk syncs up to the very beginning, trying to capture all of the objects from the last recorded USN. 

2/1/10
3:11:09.074 PM                 
 
02/01/2010 15:11:09.0748
dcName=ftw.ad.splunk.com
admonEventType=Sync
Names:
                name=NTDS Settings
                distinguishedName=CN=NTDS Settings,CN=stuff,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration
                cn=NTDS Settings
                objectCategory=CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=ad,DC=splunk,DC=com
                fullPath=LDAP://stuff.splunk.com/<GUID=bla bla bla>
                CN=NTDS Settings
Object Details:
                whenCreated=10:15.04 pm, Tue 02/12/2008
                whenChanged=10:23.00 pm, Tue 02/12/2008
                objectGUID=bla bla bla
                objectClass=top|applicationSettings|nTDSDSA
                classPath=nTDSDSA
Event Details:
                instanceType=4
Additional Details:
                systemFlags=33554432
                showInAdvancedViewOnly=TRUE
                serverReferenceBL=CN=stuff,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System
                options=1
                msDS-hasMasterNCs=DC=ForestDnsZones|DC=DomainDnsZones|CN=Schema,CN=Configuration|CN=Configuration
                msDS-HasInstantiatedNCs=
                msDS-HasDomainNCs=blah
                msDS-Behavior-Version=2
                invocationId=bla bla bla
                hasMasterNCs=CN=Schema,CN=Configuration|CN=Configuration
                dSCorePropagationData=
                dMDLocation=CN=Schema,CN=Configuration
                nTSecurityDescriptor=NT AUTHORITY\Authenticated Users
SchemaName=LDAP://stuff.splunk.com/schema/nTDSDSA


Update event

Update type event: admonEventType=Update An object has been changed, this includes a change to any of the object's fields. 

           
2/1/10
3:17:18.009 PM                 
                
02/01/2010 15:17:18.0099
dcName=ftw.ad.splunk.com
admonEventType=Update
Names:
                objectCategory=CN=Computer,CN=Schema,CN=Configuration,DC=ad,DC=splunk,DC=com
                name=THE
                displayName=THE$
                distinguishedName=CN=THE,CN=Computers,DC=ad,DC=splunk,DC=com
                cn=THE
Object Details:
                sAMAccountType=805306369
                sAMAccountName=THE$
                logonCount=4216
                accountExpires=9223372036854775807
                objectSid=S-1-5-21-3436176729-1841096389-3700143990-1190
                primaryGroupID=515
                pwdLastSet=129091141316250000
                lastLogon=129095398380468750
                lastLogoff=0
                badPasswordTime=0
                countryCode=0
                codePage=0
                badPwdCount=0
                userAccountControl=4096
                objectGUID=5608e9b5-93be-284a-558f-cabb70f647a1
                whenChanged=20100128010211.0Z
                whenCreated=20081125172950.0Z
                objectClass=top|person|organizationalPerson|user|computer
Event Details:
                uSNChanged=2921916
                uSNCreated=1679623
                instanceType=4
Additional Details:
                isCriticalSystemObject=FALSE
                servicePrincipalName=TERMSRV/THE|TERMSRV/the.ad.splunk.com|HOST/THE|HOST/the.ad.splunk.com
                dNSHostName=the.ad.splunk.com
                operatingSystemServicePack=Service Pack 2
                operatingSystemVersion=6.0 (6002)
                operatingSystem=Windows Vista? Ultimate
localPolicyFlags=0

Delete event

An object has been marked for deletion. Even though admonEventType=Update, notice the isDeleted=True at the end of the event. 

2/1/10
3:11:16.095 PM                 
 
02/01/2010 15:11:16.0954
dcName=ftw.ad.splunk.com
admonEventType=Update
Names:
                name=SplunkTest
DEL:08ddfbb9-00a5-42fd-a729-4d9fcbdfe8ec
                distinguishedName=OU=SplunkTest\0ADEL:08ddfbb9-00a5-42fd-a729-4d9fcbdfe8ec,CN=Deleted Objects,DC=ad,DC=splunk,DC=com
                ou=SplunkTest
DEL:08ddfbb9-00a5-42fd-a729-4d9fcbdfe8ec
Object Details:
                objectGUID=807abf9b-dd00-a542-fd29-4d9fcbdfe8ec
                whenChanged=20100128233113.0Z
                whenCreated=20100128232712.0Z
                objectClass=top|organizationalUnit
Event Details:
                uSNChanged=2922895
                uSNCreated=2922846
                instanceType=4
Additional Details:
                dSCorePropagationData=20100128233113.0Z|20100128233113.0Z|20100128233113.0Z|16010108151056.0Z
                lastKnownParent=DC=ad,DC=splunk,DC=com
                isDeleted=TRUE
Retrieved from "http://www.splunk.com/base/Documentation/4.0.4/Admin/AuditActiveDirectory"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.