This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6
Configure Active Directory auditing as an input to monitor changes to portions of, or all of, your AD forest and collect user and machine metadata.
Once you've enabled this feature and restart Splunk it will take a baseline snapshot of your AD data and the AD schema. It'll use this data to get a starting point against which to monitor. This process is throttled, so it won't overwhelm your connection if you're auditing a remote AD instance, but it might take a little time before it is complete.
Because this feature is included in the Windows app, you must configure the relevant files within that app's directory structure, so be sure you're editing the files in the correct location.
1. Make a copy of $SPLUNK_HOME\etc\apps\windows\default\inputs.conf and put it in $SPLUNK_HOME\etc\apps\windows\local\inputs.conf.
2. Edit the copy and enable the scripted input [script://$SPLUNK_HOME\bin\scripts\splunk-admon.py] by setting the value of disabled to 0.
3. Next, make a similar copy of $SPLUNK_HOME\etc\apps\windows\default\admon.conf and put it in $SPLUNK_HOME\etc\apps\windows\local\admon.conf.
4. Edit it using the information later in this topic. By default, when enabled, it will index the default domain controller that the user Splunk is running as is attached to. If that is acceptable, no further configuration is necessary; it will just work.
monitorSubtree = 0 will tell Splunk to only index the target container. A value of of 1 (the default) will tell Splunk to enumerate all sub-containers and domains it has access to.
targetDC = unique name of the domain controller host you want to monitor. Specify a unique name if:
If you want to target multiple DCs, add another [<uniquename>TargetDC] stanza for a target in that tree.
startingNode = a fully qualified LDAP name (e.g. "LDAP://OU=Computers,DC=ad,DC=splunk,DC=com") where Splunk will begin its indexing. Splunk starts there and enumerates down to sub-containers, depending on the configuration of monitorSubtree, above. If you don't specify something, it will start at the highest root domain in the tree it can access.
The startingNode must be within the scope of the DC you are targeting to be successful.
You can monitor monitor a target DC that is a higher root level than an OU you want to target, for example:
The OU = computers in the eng.ad.splunk.com subdomain.
Target your DC to be one of the controllers in ad.splunk.com. The reason one might do this is if you want the schema for the entire tree, not just a sub-domain. Then set the starting node to be an OU in eng.ad.splunk.com to audit machines being added and removed from that OU.
[default] monitorSubtree = 1 disabled = 0 [DefaultTargetDC] targetDC = pri01.ad.splunk.com startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com
You can use this feature combined with dynamic list lookups to decorate or modify events with any information available in AD. Read an overview of how in this topic on the Splunk Community Wiki.