Okay, so it is past time for me to get a little more out on our favourite network admin app…Splunk! In today’s post, we’ll cover how to get the Windows application talking to Active Directory, using our install on Windows that we configured to run under a domain service account. If you installed your splunk> instance using the built-in service account, create a domain account, make it a member of the local administrators on your splunk> server, reconfigure the splunkd and splunkweb services to use that account, and reboot. From there, we’re ready to begin.
Of course you need to be using the Windows version of splunk>, on a domain member, and under a domain account that has permission to query AD for all desired data. While it may be tempting to just make the splunk> service account a member of domain admins…don’t be that guy. See what you can view as a user account, and slowly add rights if you need more. We’ll cover that in a later post if it proves necessary, but right now, just being a domain user lets us see enough to catch changes in AD.
If you have all that squared away, you are ready to proceed. A lot of the following comes from this page on splunk.com, but I have edited it to reflect what I had to do to make this work. Since configuring through the web interface didn’t work out for me, I had to go edit files old-school style.
1. Copy $SPLUNK_HOME\etc\system\default\inputs.conf and paste it into $SPLUNK_HOME\etc\system\local\inputs.conf. If you installed splunk> using defaults, then $SPLUNK_HOME is c:\program files\splunk.
2. Open the new inputs.conf with your favourite text editor and insert a new section at the bottom of the file that looks like this. Everything here is literally what you want.
[script://$SPLUNK_HOME\bin\scripts\splunk-admon.py] interval = 60 source = ActiveDirectory sourcetype = ActiveDirectory disabled = 0
3. Next, copy $SPLUNK_HOME\etc\apps\windows\default\admin.conf and paste it into $SPLUNK_HOME\etc\system\local\admon.conf.
4. Open the new inputs.conf with your favourite text editor and insert a new section that looks like this
at the bottom of the file. You can yank out all the comment text (denoted by #) if you wish. Substitute your domain controller’s FQDN and your domain name where appropriate. You can specify an OU= if you only want to monitor a subset of your domain.
[default] monitorSubtree = 1 disabled = 0 [NearestDC] targetDc = dc1.example.com startingNode = dc=example,dc=com
monitorSubtree = 1 tells the admon process to start at the top of whatever tree startingNode defines, and monitor everything underneath that. disabled = 0 enables this process. You can leave targetDc = blank and it will index the first domain controller that the admon.exe process can attach to. If that is acceptable, no further configuration is necessary; it will just work, but I like to point it to a specific domain controller to simplify troubleshooting. Finally, setting startingNode = to your domain root means that in conjunction with the monitorSubtree setting, you will get everything that happens in AD as long as splunk>’s service account has rights to view this data in AD. Note, the KB article mentions that you should use the ldap:// path in startingNode…this did not work for me. What I have above does.
5. Use the Splunk Manager to restart splunk> and then check task manager to make sure that splunk-admon.exe is running. Then, go into your Windows app, and see your new data source called Active Directory. If it does not appear right away, go make a change in AD (add yourself to a group) and give it a little time to replicate in AD, then query again. You should be set.
Check the security logs on your splunk> server. If you see a failure on event 5159, which looks like this
you’re going to need to create a rule to allow the splunk-admon.exe to open a connection (or stop and disable the Windows Firewall service. Jus’ sayin’.)
Play around with the interactive field chooser to see what you can query on, or check back soon, as we’ll have a follow up post or two on querying/monitoring AD with splunk>. Until then, I leave you with this little gem I found recently on teh tubes. I couldn’t come up with a song to map to this post, and it is also surprisingly lacking in movie quotes, and you probably hadn’t noticed, but I’m a bit of a Domo fan. Yes, I know, it surprises me too. <♫> The more you know </♫> You’ll either love this video, or you will be left wondering just WTH is wrong with me. Either way, you’re left with something you didn’t have before! Enjoy.
Direct link for RSS and email subscribers…http://www.youtube.com/watch?v=MezgByTz7Xg
You might also enjoy:
{ 3 comments… read them below or add one }
Twitter: skywalka
2010-06-28 at 18:45
nice howto
have you discovered a way to run a splunk search for an AD update and determine who modified the object in AD?
Twitter: skywalka
2010-06-28 at 23:51
ignore my last comment, I figured it out:
search sourcetype=”WinEventLog:Security” “Message=Security Enabled Global Group Member”
L.
Hi Luke,
Sorry I didn’t get to comments sooner (had a big server fall down go boom issue last night at work,) but I’m glad you found your answer already. Use that as a pattern…many other events that you might want to report on like GPO changes, account resets, etc. will be found in the same manner. I have an upcoming post about these as well.
Thanks for dropping by!
Ed