TIPS & TRICKS

Which Microsoft Servers are inactive?

What can you tell me about my environment?  It’s a common enough query and Splunk seems to be able to answer them all.  The latest was this:  Can you give me a list of all the servers that are inactive?  Inactive, for the purposes of this post, means that they are bound to the domain but they have not logged into the domain in some period of time.

One of my favorite tools for answering these questions is the SA-ldapsearch commands.  Fortunately for us, Active Directory contains the timestamp.  Unfortunately for us, it contains two timestamps.  The first is called “lastLogon” and contains the time stamp that the system in question last connected to THIS domain controller.  The second is called “lastLogonTimeStamp” and contains the time stamp that the system in question last connected to ANY domain controller.  This is a very important distinction (and the customer actually queried me on this one, so I had to go check).  You can follow the links to get to the Microsoft definitions, but here is the important information from Microsoft.  Basically – the lastLogonTimeStamp is replicated lazily and can be 9-14 days behind the real events.  Use the Windows Event Log to find real-time logon information.  Fortunately, we don’t need real time, so the laziness is ok for us.

We can start with a fairly basic ldapsearch command, such as this:

|ldapsearch domain=XXX search="(&(operatingSystem=*Server*)(objectCategory=computer)" attrs="cn,operatingSystem,lastLogonTimestamp" | table cn,operatingSystem,lastLogonTimestamp

The lastLogonTimestamp is returned as an actual date – not exactly something we can work with.  Fortunately, Splunk provides a strptime() function.  This is like the regular python strptime() function but can be used in the search pipeline to convert textual dates into something that Splunk can use.  You specify the format as a series of % codes.  Here is how we can do the conversion:

|ldapsearch domain=splk search="(&(operatingSystem=*Server*)(objectCategory=computer))" attrs="cn,operatingSystem,lastLogonTimestamp"|eval llt=strptime(lastLogonTimestamp,"%Y/%m/%d %T %Z") | eval inactiveTime=now() - llt

We now have a field called inactiveTime that contains the number of seconds that the system has been inactive.  We can easily filter out the systems that are active and concentrate on the ones that are inactive:

|ldapsearch domain=splk search="(&(operatingSystem=*Server*)(objectCategory=computer))" attrs="cn,operatingSystem,lastLogonTimestamp"|eval llt=strptime(lastLogonTimestamp,"%Y/%m/%d %T %Z") | eval inactiveTime=now() - llt | where inactiveTime > (14*86400) | table cn,operatingSystem,lastLogonTimestamp,inactiveTime

Note that I use 14 days as the time because of that lazy replication employed by Active Directory.  Anything less is unreliable.

 

 

Splunk
Posted by

Splunk

Join the Discussion