splunk activedirectory 1.1.4 deployad

7/27/2019 Splunk ActiveDirectory 1.1.4 DeployAD

1/65

Splunk App for Active Directory 1.1.4

Deploy and Use the Splunk App for Active Directory

Generated: 5/08/2013 2:32 am

Copyright 2013 Splunk, Inc. All Rights Reserved


2/65

Table of Contents

Introduction..........................................................................................................1

About the Splunk App for Windows Server Active Directory.....................1How this app fits into the Splunk picture....................................................2How to get support and find more information about Splunk....................2

Before you install........................................................................ .........................4Platform and hardware requirements........................................................4What data the Splunk App for Active Directory collects............................7Other deployment considerations.............................................................7

Deploy the Splunk App for Active Directory.....................................................9What a Splunk App for Active Directory deployment looks like.................9How to deploy the Splunk App for Active Directory.................................12Enable auditing and local PowerShell script execution on ActiveDirectory servers......................................................................................17Configure and deploy the technology add-ons........................................23Deploy TAs and configurations with a deployment server......................29Configure the SA-ldapsearch supporting add-on....................................31Install the app onto the central Splunk instance......................................34

Upgrade the Splunk App for Active Directory.................................................37Upgrade the Splunk App for Active Directory..........................................37

Use the Splunk App for Active Directory.........................................................41Log in and get started.............................................................................41Configuration...........................................................................................41Dashboard reference overview...............................................................42Dashboard reference: Operations...........................................................43Dashboard reference: Security...............................................................50Dashboard reference: Change Management..........................................55

Troubleshoot the Splunk App for Active Directory........................................58Troubleshoot the Splunk App for Active Directory..................................58

Release notes.....................................................................................................63Release notes.........................................................................................63

i


3/65

Introduction

About the Splunk App for Windows Server Active

Directory

Caution:

The Splunk App for Active Directory does not currently work with Splunkuniversal forwarder versions 5.0 and later. If you run the Splunk App for ActiveDirectory, do not upgrade any of the universal forwarders in that deployment.For additional details, see the release notes.

The Splunk App for Windows Server Active Directory (hereafter known as theSplunk App for Active Directory) provides deep insight into your WindowsServer Active Directory deployment. You can monitor the health of your forest,assess and dispatch security threats, and much more.

Use the Splunk App for Active Directory to:

Get a detailed topology report on all aspects of your AD forest, includingall domains, sites, domain controllers (complete with operations masterroles) and AD objects.

Monitor AD Directory Services performance, including replicationthroughput, search performance, and any anomalous events that might

signal upcoming problems.

Explore various security aspects in your AD forest, including failed andanomalous logons and account utilization

Track changes to various AD objects such as users, groups, computersand group policy objects.

How does it work?

The Splunk App for Active Directory runs on top of a Splunk deployment andgathers extensive Active Directory metrics, including but not limited to:

AD replication and health statisticsLDAP search statisticsPerformance monitor statisticsSecurity, Directory Service and Domain Name System (DNS) server eventlogs

1


4/65

The app presents this data to you with reports and dashboards to give you fullvisibility into your Active Directory deployment.

How do I get it?

Download the Splunk App for Active Directory from Splunkbase.

How do I upgrade from a previous version?

If you are already running the Splunk App for Active Directory and want toupgrade, be sure to read "Upgrade the Splunk App for Active Directory" forimportant information and specific upgrading instructions.

For information on what's been fixed from the previous version, as well as anyknown issues in this version, review the release notes.

How this app fits into the Splunk picture

The Splunk App for Active Directory is one of a variety of apps and add-onsavailable within the Splunk ecosystem. All Splunk apps and add-ons run on topof a core Splunk installation. You need to install Splunk first, and then install theapp and/or add-on components of the Splunk App for Active Directory.

For details about apps and add-ons, refer to "What are apps and

add-ons?" in the core Splunk product documentation.

To download Splunk, visit the download page on splunk.com.To get more apps and add-ons, visit Splunkbase.

How to get support and find more informationabout Splunk

If you need customer support for the Splunk App for Active Directory, log a casevia the Splunk Support Portal.

Find more information about Splunk

There are a variety of options for finding more information about Splunk:

The core Splunk documentation

2


5/65

Splunk AnswersThe #splunk IRC channel on EFNET

3


6/65

Before you install

Platform and hardware requirements

This topic discusses the system and hardware requirements for running theSplunk App for Active Directory.

Important: Installing and configuring the Splunk App for Active Directory is acomplex, intense procedure. It is not for beginners. It requires an in-depthknowledge of Windows and Active Directory, as well as at least a generalunderstanding of how to deploy Splunk in a distributed environment.

We recommend that you contact Splunk's Professional Services for assistance indeploying the app.

The Splunk App for Active Directory consists of several components:

The main Splunk App for Active Directory component installs directly ontoa full Splunk instance, otherwise known as the "central" Splunkinstance. It does not install onto a universal forwarder or a light forwarder,because Splunk Web is required to use the app's dashboards and reports.

The Splunk App for Active Directory includes four technology add-ons(TAs) which collect data from your Active Directory domain controllers and

DNS servers. You deploy these TAs based on the version of Windows andthe role that the server performs. More information on how to configureand deploy the TAs is available at "What a Splunk App for Active Directorydeployment looks like" in this manual.

The SA-ldapsearch supporting add-on installs onto both the central Splunkinstance and the universal forwarders that collect data for the Splunk Appfor Active Directory.

Hardware requirements

The Splunk App for Active Directory has hardware requirements similar to coreSplunk. Depending on the size of your Active Directory environment, the SplunkApp for Active Directory might require multiple servers to handle indexing andsearching of AD data. We do not recommend installing the Splunk App for ActiveDirectory in a virtual environment.

4


7/65

For additional information on hardware requirements, review "Systemrequirements" in the core Splunk documentation.

Operating system requirements

The main Splunk App for Active Directory component and the SA-ldapsearchsupporting add-on install onto a Splunk instance running on any of the followingoperating systems:

LinuxWindows XPWindows VistaWindows 7Windows Server 2003 (with SP2 or later) or Server 2003 R2 (with SP1 orlater)

Windows Server 2008 (with SP2 or later) or Server 2008 R2 (with SP1 orlater)

Windows Server 2012

The app is not supported on the following Windows versions:

Windows 95Windows 98Windows MeWindows NT Workstation/Server 3.1Windows NT Workstation/Server 3.5

Windows NT Workstation/Server 4.0Windows 2000 Workstation/ServerWindows Server 2008 Core

You can also install the Splunk App for Active Directory on a non-WindowsSplunk instance to display Active Directory information.

The technology add-ons included with the Splunk App for Active Directory installinto a universal forwarder. You install universal forwarders on the domaincontrollers and DNS servers in your AD environment.

The TAs (as well as the SA-ldapsearch SA) support the following versions ofWindows Server:

Windows Server 2003 (with SP2 or later and PowerShell 2.0 or later)Windows Server 2003 R2 (with SP1 or later and PowerShell 2.0 or later)Windows Server 2008 (with SP2 or later and PowerShell 2.0 or later)

5


8/65

Windows Server 2008 R2 (with SP1 or later and PowerShell 2.0 or later)Windows Server 2008 R2 Core (with SP1 or later and PowerShell 2.0 orlater)

Windows Server 2012

Important: The TAs do not work on computers that run Windows Server 2008Core because that version of Windows does not support PowerShell.

For additional details about supported versions of Windows for Splunk,refer to "System requirements" in the core Splunk product documentation.

What other items are required?

In addition to the operating systems and versions of Splunk listed above, theSplunk App for Active Directory also requires the following:

PowerShell version 2.0 or later (PowerShell v1.0 does not work on thisplatform.)

The Splunk support for Active Directory (SA-ldapsearch) supportingadd-on version 1.1.4 or later (which requires Java Standard EditionRuntime Environment version 1.7 or later.)

The Splunk Technology Add-ons for Active Directory (which are includedin the Splunk App for Active Directory installation package).

Sideview Utils version 1.3.2 or later.

The Splunk Technology Add-on for Windows version 4.5 or later.

What versions of Splunk are supported?

All instances of full Splunk in a Splunk App for Active Directorydeployment must run version 4.3.1 or later.

All universal forwarders in a Splunk App for Active Directory deploymentmust run version 4.2.5 or later.

Be sure to download the correct version for your platform. In particular, ensurethat you're running the 64-bit version of Splunk on 64-bit platforms.

6


9/65

What data the Splunk App for Active Directorycollects

This topic describes what data the Splunk App for Active Directory collects.

Windows event logs: Security, Application, System, Distributed FileSystem Replication (DFSR), NT File Replication Services (FRS), DNSServer

Active Directory schema changes (through Splunk's Active Directorymonitoring input)

Active Directory forest-wide health, information and replication statistics(through PowerShell scripts)

Domain controller health and performance metrics (through performancemonitoring inputs for memory, CPU, disk, network, and NTDS operationsand connectivity performance counters)

DNS server health and information (through PowerShell scripts)General Windows network information (through the Splunk TechnologyAdd-on for Windows)

Other deployment considerations

This topic explores other tactics to consider when deploying the Splunk App forActive Directory and provides answers to frequently asked questions.

Frequently asked questions

Installation

1. Can I collect data remotely from my domain controllers? No. You mustinstall a universal forwarder on your domain controllers so that PowerShellscripts can run and collect data.

2. But what about domain controller performance? Won't a universalforwarder utilize resources? Yes, but universal forwarders are designed to

utilize as few resources as possible.

Data Collection

1. Can I collect the Windows event logs via a third-party method likeSyslog-NG or Snare? No. The Splunk App for Active Directory expects events

7


10/65

generated by Splunk's event log inputs and the Splunk TA for Windows.

2. Can I collect data without using a universal forwarder? No. You need theuniversal forwarder in order to run the included PowerShell scripts.

8


11/65


12/65

Universal forwarders that install onto the DNS servers and domaincontrollers in your Active Directory environment. These universalforwarders use the Splunk App for Active Directory's technology add-onsto collect AD data, then forward that data to the central Splunk instance.

About the universal forwarders

During the setup process, you install a universal forwarder onto the domaincontrollers and DNS servers in your AD environment. The forwarders then collectdata from the servers using technology add-ons and send that data to the centralSplunk instance for display and searching.

You must install a universal forwarder on each domain controller and DNS serverin your AD environment.

About the Splunk for Active Directory supporting and technology add-ons

The Splunk App for Active Directory comes with four technology add-ons (TAs).These TAs install into universal forwarders on the DNS servers and domaincontrollers in your AD environment.

Each TA is a folder that contains objects that the Splunk App for Active Directoryuses to collect data from a DNS server or domain controller. The TAs are specificto the Splunk App for Active Directory. The name of each TA corresponds to theversion of Windows that runs on the DNS server or domain controller.

The Splunk App for Active Directory installation package contains the TAs, inSplunk_for_Active_Directory\appserver\addons . You install the appropriateTAs for the Windows version and AD role into the universal forwarders on eachAD server as part of the deployment process.

The SA-ldapsearch supporting add-on is available for download fromSplunkbase. You download this add-on and install it onto the central Splunkinstance.

The following table describes the add-ons and where you install them in thecourse of deploying the Splunk App for Active Directory:

Name Description

SA-ldapsearchPerforms LDAP searches on specified AD forests anddomains.

TA-DomainController-NT5

10


13/65

Collects AD, event log, and performance metrics on WindowsServer 2003 or Server 2003 R2 domain controllers.


Collects AD, event log, and performance metrics on Windows

Server 2008, Server 2008 R2, or Server 2012 domaincontrollers.

TA-DNSServer-NT5 Collects DNS event and debug logs from Windows Server2003 or Server 2003 R2 DNS servers.

TA-DNSServer-NT6Collects DNS event and debug logs from Windows Server

2008, Server 2008 R2, or Server 2012 DNS servers.

About the central Splunk App for Active Directory instance

The "central" Splunk instance receives AD data from the domain controllers andDNS servers in your AD environment.

It can be a single Splunk server that both indexes and presents the data in theapp, or it can be a distributed deployment with multiple indexers and searchheads to handle increased data and search load.

Its size depends on the size and scope of your Active Directory environment. Alarger environment requires a distributed deployment because of the amount ofdata that the AD servers generate.

Example deployment

This diagram depicts a typical Splunk App for Active Directory deployment.

11


14/65

How to deploy the Splunk App for Active Directory

This topic details the deployment procedure for the Splunk App for ActiveDirectory.

Overview

There are three main steps to installing the Splunk App for Active Directory:

First, you prepare your Active Directory environment so that it properlygenerates and formats the data for the app.

Then, you configure the Splunk App for Active Directory on yourcentral Splunk instance to receive and search the incoming ActiveDirectory data.

Finally, you install and configure universal forwarders on your domain

controllers and DNS servers so that they send AD data to the centralSplunk instance.

Prepare your Active Directory environment

Before you can deploy the Splunk App for Active Directory, you must prepareyour AD environment to generate the required data for the app.

Important: You must have administrator-level privileges to complete thefollowing steps. If you do not have these credentials, then find someone in

your organization who does, as you cannot finish the procedure withoutthis access.

To prepare your AD environment for the Splunk App for Active Directory:

1. Verify that all of the domain controllers and DNS servers in your environmenthave the latest service packs and hot fixes installed.

If your AD computer runs thisversion of Windows:

then confirm that it has (at a minimum):

Windows Server 2003

Windows Server 2003 R2

* All service packs

* The Windows Management FrameworkCore Package (KB 968930)* PowerShell v2.0 installed and enabled* The Administrative Templates for MicrosoftPowerShell

12


15/65

Windows Server 2008 R2 Core

* All service packs

* PowerShell v2.0 installed and enabled(Learn how to enable PowerShell)

Windows Server 2008

Windows Server 2008 R2Windows Server 2012

* All service packs

Important: The Splunk App for Active Directory does not support computers thatrun Windows Server 2008 Core because that version of Windows does notsupport PowerShell. You must upgrade or reinstall those systems with a versionof Windows that the app supports. Review the platform and hardwarerequirements for additional information.

2. Confirm that PowerShell v2.0 or later is installed. Versions of PowerShellearlier than v2.0 are not compatible with the Splunk App for Active Directory.

3. Set your AD environment's forest and domain functional levels to "WindowsServer 2003" or higher.

For additional information on forest and domain functional levels, review"What are Active Directory functional levels?"(http://technet.microsoft.com/en-us/library/cc787290%28v=ws.10%29.aspx)on MS TechNet.

4. Enable Security event log auditing and local PowerShell script execution onevery domain controller in your AD environment.

Caution: When you enable Security event log auditing on your domaincontrollers, the DCs generate a large number of events. These eventssignificantly impact indexing volume and might cause indexing license violations.You might also see decreased performance on your domain controllers. Readthis topic carefully to understand what events the Splunk App for Active Directorymust collect to function properly and which events you can choose not to include.

5. If you want detailed DNS server statistics, enable debug logging on your DNSservers by following the instructions at "Select and enable debug logging optionson the DNS server"

(http://technet.microsoft.com/en-us/library/cc759581%28v=ws.10%29.aspx) onMS TechNet.

Caution: When you enable debug logging on your DNS servers, you mustconsider the following caveats:

13


16/65

If you enable DNS server debug logging, individual DNS serverperformance will decrease significantly.

Debug logging generates significant amounts of data that might exhaustdisk space on your DNS servers, which can potentially cause downtime.You must watch and rotate your DNS server logs to prevent disk capacity

issues from occurring.

Debug logging also greatly increases the overall amount of data indexedby the Splunk App for Active Directory. Ensure that you have a Splunklicense that can accommodate the additional indexing volume.

Install and configure the central Splunk instance

Once you have configured your AD environment to send the appropriate data,you must now configure the central Splunk instance to receive, index, andpresent that data.

If your central Splunkinstance is:

then install thefollowing items onto

indexer(s):

and install the followingitems onto search

head(s):

a single indexer

* SA-ldapsearch

* Sideview Utils v1.3.2 orlater* The Splunk TechnologyAdd-on for Windows* The Splunk App forActive Directory

nothing

a distributed environment withmultiple indexers and search

heads

* SA-ldapsearch


* SA-ldapsearch


1. Install a full copy of Splunk or designate an existing installation as your centralSplunk instance.

Important: We strongly recommend a distributed Splunk deployment for thecentral Splunk instance in a Splunk App for Active Directory installation. Reviewthe Distributed Deployment Manual for information on distributed deployments.

2. Configure Splunk to be a receiving indexer by telling it to listen on a port forincoming AD data.

14


17/65

3. Download the SA-ldapsearch supporting add-on.

4. Install and configure SA-ldapsearch on the central Splunk instance.

5. Download and install Sideview Utils 1.3.2 or later on the central Splunk

instance.

Note: If your central Splunk instance is distributed, then you must installSideview Utils onto both the search heads and indexers in the instance.

6. Download and install the Splunk Technology Add-on for Windows.

Note: If your central Splunk instance runs on Unix or Linux, you might receive acompatibility warning if you install the Splunk TA for Windows through Manager.You can safely ignore this warning. The Splunk App for Active Directory requiresseveral modules that the Splunk TA for Windows provides, and cannot runwithout the TA installed.

7. Install and configure the Splunk App for Active Directory onto your centralSplunk instance.

Note: If your central Splunk instance is distributed, then you must install the apponto both the search heads and indexers in the instance.

8. Restart all instances in your Splunk App for Active Directory deployment toensure that installation and configuration changes take effect.

Restart your central Splunk instance first. If your central Splunk instance isdistributed, restart both the search heads and indexers.

Then, restart all universal forwarders in the deployment.

Install and configure universal forwarders on AD servers

Once you have configured your central Splunk instance to receive incoming ADdata, you must now install universal forwarders to send that data from domaincontrollers and DNS servers in your AD environment.

To forward AD data from your AD servers to the central Splunk App for ActiveDirectory instance:

1. Download the Splunk App for Active Directory installation package and unpackit to a known, accessible location.

15


18/65

2. Download the Splunk Technology Add-on for Windows and unpack it to aknown, accessible location.

Caution: The Splunk App for Active Directory is not compatible with the SplunkApp for Windows. You must only install the Splunk Technology Add-on for

Windows.

3. Download and install a Splunk universal forwarder onto each of the domaincontrollers and DNS servers in your environment.

Important:

Install only one universal forwarder on each domain controller or DNSserver.

When asked for the user to install Splunk as, choose the "Local System"user.

When asked for the receiving indexer (where the forwarder should senddata), enter the host name or IP address and port of a receiving indexeron your central Splunk instance.

Do not enable any of the inputs during the installation.

4. Prepare the Splunk App for Active Directory technology add-ons for the ADservers in your environment.

Note: The TAs for the Splunk App for Active Directory reside inSplunk_for_ActiveDirectory\appserver\addons in the Splunk App for Active

Directory installation package.

5. If you use a Splunk deployment server to deploy the app, copy the configuredTAs into %SPLUNK_HOME%\etc\deployment-apps on your deployment server.

Note: We strongly recommend that you use a deployment server to distributeapps, add-ons and configuration files for the Splunk App for Active Directory.

6. If you use a Splunk deployment server to deploy the app, configureserverclass.conf on your deployment server to distribute the add-ons across theAD servers in your environment.

7. Install or deploy the appropriate TAs onto each universal forwarder, accordingto the table shown below:

If the ADcomputer is:

and it runs this version ofWindows:

then install or deploy theseTA(s):

16


19/65

a domain controller

Windows Server 2003 or Server2003 R2

Splunk_TA_Windows


Windows Server 2008, Server2008 R2, Server 2008 R2 Core, or

Server 2012

Splunk_TA_Windows


a DNS server

Windows Server 2003 or Server2003 R2

Splunk_TA_Windows

TA-DNSServer-NT5

Windows Server 2008, Server2008 R2, Server 2008 R2 Core, or

Server 2012

Splunk_TA_Windows

TA-DNSServer-NT6

a domain controllerand a DNS server

Windows Server 2003 or Server

2003 R2

Splunk_TA_Windows


TA-DNSServer-NT5

Windows Server 2008, Server2008 R2, or Server 2008 R2 Core

Splunk_TA_Windows


TA-DNSServer-NT6

Note: If you do not have a deployment server, or do not want to use one todeploy the TA(s), then you must manually copy them to %SPLUNK_HOME%\etc\appson each Active Directory domain controller or DNS server.

If your Splunk deployment is large or complex, you might want to engage amember of Splunk's Professional Services team to assist you in deploying theSplunk App for Active Directory into your environment.

Enable auditing and local PowerShell scriptexecution on Active Directory servers

The Splunk App for Active Directory requires that you enable certain features inyour Active Directory (AD) environment in order for the app to function optimally.This topic discusses how to enable auditing of AD events and execution of localPowerShell scripts.

Auditing overview

By default, Active Directory does not automatically audit certain security events.You must enable auditing of these events so that your domain controllers logthem into the Security event log channel.

17


20/65

You do this by creating a Group Policy object (GPO) and deploying that GPO toall domain controllers (DCs) in your AD environment. Once you activate theGPO, your DCs will log these security events into the Security event log. Afteryou deploy universal forwarders with the appropriate technology add-ons ontoyour DCs, the forwarders collect the logs and forward them to the central Splunk

App for Active Directory instance.

Note: This topic shows you how to create individual Group Policy objects (GPOs)for both sets of settings. If you wish, you can combine both the PowerShell andaudit settings into a single GPO. For ease of administration, you should createand deploy these GPOs separately from other GPOs.

Important information on security event auditing and indexingvolume

When you enable auditing of the Security Event Log on your domain controllers,the DCs generate a lot of data. These events significantly increase indexingvolume and might cause indexing license violations. You might also seedecreased performance on your domain controllers based on how muchadditional data the servers generate.

If you are concerned about the impact that enabling security event auditing mighthave on your indexing volume, you can tweak policy settings to generate only thedata that is important to you. Refer to the table below to learn about which policysettings generate which event types, and how the Splunk App for ActiveDirectory uses those events to populate its dashboards, reports and lookups.

If you choose to disable certain policy settings in an effort to curb indexingvolume, you directly affect how much data gets sent to the Splunk App for ActiveDirectory. The table below lists what data you lose if you do not enable aparticular policy setting. This is not an all-inclusive list - some lookups arecorrelated across various policy settings, as multiple events often derive a singleknowledge object. Failure to enable all of the policy settings might cause theSplunk App for Active Directory to display incomplete or incorrect knowledgeobjects in its dashboards and reports.

Policy setting: Required? What the Splunk App forActive Directory uses it for:

Audit Account Logon Events Yes Administrator Audit dashboards

Security->Logon dashboardsSecurity->Reports->New(Computer or Domain)

18


21/65

AccountsSession ID-to-User (tSessions)lookupComputer-to-IP Address(tHostinfo) lookup

Audit Account Management No

Administrator Audit dashboards

Change Managementdashboards

Audit Logon Events NoAdministrator Audit dashboards

Logon and access information

Audit Object Access No

Administrator Audit dashboards

Information on who changed aGPO and when

Audit Policy Change No

Security->Reports->Group Policy

ReportsGPO Change Managementdashboard

Audit System Events No Directory Services replication events

Advanced Audit Policy settings

You might alternatively want to use the Advanced Audit Policy (AAP)configuration settings to control which events your domain controllers send to theSplunk App for Active Directory. While we do support this method, it is outsidethe scope of this document to list all available AAP configuration options.

This is because of the number of available AAP configuration options and thefact that those options change with different Windows versions - for example, theoptions for the Windows Server 2003 family differ from those in the WindowsServer 2008 family. Windows Vista and earlier versions of Windows do notsupport AAP.

If you need more granularity in the types of audit events you want generated, youcan review eventtypes.conf (located in the Splunk App for Active Directoryinstallation at %SPLUNK_HOME%\etc\apps\Splunk_for_ActiveDirectory\default )for the event codes that the app looks for. With that information, you can create aGPO that enables AAP and generates audit events for only those specific eventcodes.

Note: When you enable AAP, Windows disables configurations for standardAudit Policy.

19


22/65

Enable auditing

To enable auditing of security events in your AD domain or forest:

On Windows Server 2003 and Server 2003 R2

1. Create a new Active Directory GPO:

a. Click Start > Administrative Tools > Active Directory Sites andServices.

b. In the left pane, under "Sites", locate the forest for which you want toset group policy.

c. Right-click the site, then select Properties.

d. In the window that appears, click the Group Policy tab.

e. Click New.

f. Enter a unique name for your new GPO that you will remember.

2. Open the GPO for editing by clicking the Edit... button in the Group Policyproperties window.

3. In the GPO Editor, select Computer Configuration > Windows Settings >

Security Settings > Local Policy > Audit Policy.

4. Enable both Success and Failure auditing of the following policy settings:

Audit account logon eventsAudit account managementAudit directory service accessAudit logon eventsAudit object accessAudit policy changeAudit privilege use

Audit system events

5. Close the Group Policy Object Editor window to save your changes.

6. Deploy the GPO:

20


23/65

a. Open Active Directory Users and Computers. Click Start >Administrative Tools > Active Directory Users and Computers.

b. In the left pane of the window that appears, right-click Domaincontrollers then click Properties.

c. Click the Group Policy tab.

d. Click the Add... button.

e. In the dialog that appears the All tab.

f. Select the GPO you created in Step 1, then click OK.

g. Move your GPO up or down in the priority list to your liking.

h. Close the window to save changes.

On Windows Server 2008 and Server 2008 R2

1. Create a new GPO:

a. Click Start > Administrative Tools > Group Policy Management.

b. In the left pane, under "Group Policy Management," expand the forestand domain for which you want to set group policy.

c. Right-click Group Policy objects and select New.

d. In the dialog window that opens, enter a unique name for your newGPO that you will remember in the Name field, and select None for theSource Starter GPO field.

2. Open the GPO for editing by right-clicking the newly created GPO In theGroup Policy Objects window and selecting Edit.

3. In the GPO editor, select Computer Configuration > Policies > Windows

Settings > Security Settings > Local Policy > Audit Policy.

4. Enable both Success and Failure auditing of the following policy settings:

Audit account logon eventsAudit account management

21


24/65

Audit directory service accessAudit logon eventsAudit object accessAudit policy changeAudit privilege use

Audit system events

5. Close the Group Policy Object Editor window to save your changes.

6. Deploy the GPO:

a. In Group Policy Management, in the left pane of the window, right-clickon the Domain Controllers item and click Link an existing GPO..."

b. In the window that appears, select the GPO you created in Step 1.

c. Click OK. The GPMC will refresh to show that your GPO is now linkedto the Domain Controllers organizational unit.

Enable local PowerShell script execution

The Splunk App for Active Directory Technology Add-ons contain PowerShellscripts that must run on the domain controllers and DNS servers in your ADenvironment. You must configure your domain controllers to allow local executionof PowerShell scripts so that they can run.

To enable local execution of PowerShell scripts on your domain controllers:

1. If required, download PowerShell (http://support.microsoft.com/kb/968929)from Microsoft's Support site and install it.

Note: All versions of Windows Server 2003 R2, Windows Server 2008 SP2(except Core), and Windows Server 2008 R2 have PowerShell installed bydefault.

2. If required, download the Administrative Templates for Microsoft PowerShell(http://www.microsoft.com/en-us/download/details.aspx?id=25119) from

Microsoft and install them.

Note: All versions of Windows Server 2003 R2, Windows Server 2008 (exceptCore) and Windows 2008 R2 have the required templates for PowerShellinstalled.

22


25/65

3. Create a new Active Directory GPO:

4. Open the GPO for editing.

5. In the GPO editor, select Computer Configuration > Policies >

Administrative Templates > Windows Components > Windows PowerShell.

6. Right-click "Turn on script execution", then select "Edit".

7. In the window that appears, click the "Enabled" radio button.

8. In the "Execution Policy" drop-down, select Allow local scripts and remotesigned scripts.

9. Click "OK" to accept the changes.

10. Close the Group Policy Object editor to save your changes.

11. Deploy the GPO.

Configure and deploy the technology add-ons

This topic discusses what you must do to deploy and configure the technologyadd-ons (TAs) on your Active Directory domain controllers and DNS servers.

Overview

The Splunk App for Active Directory uses several indexes to store its data forlater use. The universal forwarders in a Splunk App for Active Directorydeployment tag the incoming data with the correct index, which the app thenuses in its dashboards, reports, and lookups.

By default, the Splunk App for Active Directory is configured to store data in thefollowing indexes:

Data type IndexSecurity, System and Application event logs* main

Active Directory replication and DNS Server event logs winevents

Performance monitoring / metrics perfmon

PowerShell logs for Active Directory health (ldapsearch) / metrics msad

23


26/65

* The Splunk Technology add-on for Windows collects these logs. It uses themain index by default.

If you want the Splunk App for Active Directory to use different indexes (forexample, if you are using an existing Splunk instance as the central Splunk

instance, or are upgrading from a previous version that used different indexes),then follow the instructions in this topic to configure the technology add-ons touse different indexes than what comes with the Splunk App for Active Directoryout of the box.

You can find the technology add-ons in the Splunk App for Active Directoryinstallation package, at Splunk_for_ActiveDirectory\appserver\addons

Important:

If you want to deploy the Splunk App for Active Directory with default settings asshown in the table above, then do not proceed further in this topic. The work isalready done for you, and you can proceed to the next step in the deploymentprocess.

You only need to edit the technology add-on configurations if you want theSplunk App for Active Directory to use different indexes than the onesshown above.

Configure TAs for domain controllers

You must configure the domain controller TAs on each domain controller in yourAD environment. Once the TAs are properly configured, they collect data fromthe domain controllers and send it to the central Splunk App for Active Directoryinstance. This instance indexes the data and displays it when you run the app.

The technology add-ons you configure depend on what version of Windows isinstalled on your domain controllers.

Following is a table that shows which TAs should be installed on the domaincontrollers in your environment:

If your domain controller runs:then install or deploy these

TA(s):

Windows Server 2003 or Windows Server 2003 R2Splunk_TA_Windows


24


27/65

Windows Server 2008, Server 2008 R2, Server 2008R2 Core, or Server 2012

Splunk_TA_Windows


To configure the TAs to send events to the appropriate indexes on your centralSplunk instance:

Edit the configuration files

1. In the Splunk for Active Directory app installation package, locate the properTA for the version of domain controller that operates in your AD environment.

Note: Use the table above to determine which TA(s) you should configure anddeploy.

2. Copy the files located in TA_DomainController_NTx\default toTA_DomainController_NTx\local.

Note: You might need to create the local directory if it does not exist.

3. In the TA_DomainController_NTx\local directory, open admon.conf for editing.

4. In the file, under the [nearestDc] stanza, add or change the index attribute topoint to the correct index on for Active Directory monitoring data on the centralSplunk instance.

For example, if you configured the Splunk App for Active Directory to use thead-monitor index, then configure the [nearestDc] stanza as follows:

[nearestDc]

disabled = 0

monitorSubtree = 1

index=ad-monitor

5. Save the file and close it.

6. Open the perfmon.conf file in the same directory for editing.

7. In this file, edit the stanzas so that the index attribute for each stanza points tothe correct index for performance metrics on the central Splunk instance.

For example, if you configured the Splunk App for Active Directory to use thead-perfmon index, then edit the perfmon.conf file as follows:

25


28/65

[PERFMON:Processor]

object = Processor

index=ad-perfmon

counters = *

instances = *

interval = 10disabled = 0

[PERFMON:Memory]

index=ad-perfmon

object = Memory

counters = *

interval = 10

disabled = 0

[PERFMON:Network_Interface]

index=ad-perfmon

object = Network Interface

counters = *instances = *

interval = 10

disabled = 0

[PERFMON:DFS_Replicated_Folders]

index=ad-perfmon

object = DFS Replicated Folders

counters = *

instances = *

interval = 30

disabled = 0

[PERFMON:NTDS]

index=ad-perfmon

object = NTDS

counters = *

interval = 10

disabled = 0


9. Finally, open the inputs.conf file for editing.

10. In this file, edit the stanzas so that the index attribute for each stanza pointsto the correct index for event log collection on the central Splunk instance

For example, if you configured the Splunk App for Active Directory to use thead-eventlogs index, then edit the inputs.conf file as follows:

26


29/65

###

### Windows Event Logs

###

### Application, System and Security logs are handled

### by Splunk_TA_windows and should be compatible with

### what we need###

#

# Application and Services Logs - DFS Replication

#

[WinEventLog:DFS Replication]

disabled=0

index=ad-eventlogs

sourcetype="WinEventLog:DFS Replication"

queue=parsingQueue

#

# Application and Services Logs - Directory Service#

[WinEventLog:Directory Service]

disabled=0

index=ad-eventlogs

sourcetype="WinEventLog:Directory Service"

queue=parsingQueue

#

# Application and Services Logs - File Replication Service

#

[WinEventLog:File Replication Service]

disabled=0

index=ad-eventlogs

sourcetype="WinEventLog:File Replication Service"

queue=parsingQueue

#

# Application and Services Logs - Key Management Service

#

[WinEventLog:Key Management Service]

disabled=0

index=ad-eventlogs

sourcetype="WinEventLog:Key Management Service"

queue=parsingQueue

#

# Collect Replication Information

#

[script://.\bin\runpowershell.cmd ad-repl-stat.ps1]

index=ad-monitor

source=Powershell

sourcetype=MSAD:NT6:Replication

27


30/65

interval=300

disabled=false

#

# Collect Health and Topology Information

#

[script://.\bin\runpowershell.cmd ad-health.ps1]index=ad-monitor

source=Powershell

sourcetype=MSAD:NT6:Health

interval=300

disabled=false

#

# Collect Site, Site Link and Subnet Information

#

[script://.\bin\runpowershell.cmd siteinfo.ps1]

index=ad-monitor

source=Powershell

sourcetype=MSAD:NT6:SiteInfointerval=3600

disabled=false

#

# Perfmon Collection

#

[script://$SPLUNK_HOME\bin\scripts\splunk-perfmon.path]

index=ad-perfmon

interval=3600

disabled=false

source=PerformanceMonitor

queue=winparsing

#

# ADMon Collection

#

[script://$SPLUNK_HOME\bin\scripts\splunk-admon.path]

index=ad-monitor

interval=3600

disabled=false

#

# Subnet Affinity Log

#

[monitor://C:\Windows\debug\netlogon.log]index=ad-monitor

sourcetype=MSAD:NT6:Netlogon

disabled=false


28


31/65

Configure TAs for DNS servers

For the DNS servers in your AD environment, configure and deploy theTA_DNSServer_NTx TAs in the same way that you configure the TAs for thedomain controllers.

If your DNS server runs:then install or deploy these

TA(s):

Windows Server 2003 or Windows Server 2003 R2 TA-DNSServer-NT5

Windows Server 2008, Server 2008 R2, Server 2008 R2

Core, or Server 2012TA-DNSServer-NT6

Note: You do not need to install the Splunk for Windows TA on DNS servers.

Deploy the technology add-ons

To install the TAs, place them into the %SPLUNK_HOME%\etc\apps directory in theuniversal forwarder on each domain controller.

If you have a deployment server in your Splunk deployment, you can use it todistribute the apps to your domain controllers by placing the TAs into the%SPLUNK_HOME%\etc\deployment-apps on the deployment server. Create a serverclass that differentiates domain controllers from member servers to ensure theTAs get deployed only to the appropriate computers.

For more information on configuring deployment servers, read About

deployment server" in the core Splunk documentation.

For more information on how to create a server class on your deploymentserver to differentiate domain controllers from other servers, read Defineserver classes" in the core Splunk documentation.

Deploy TAs and configurations with a deploymentserver

This topic discusses what is required to deploy the Splunk App for Active

Directory's technology add-ons from a deployment server.

Overview

We strongly recommend that you use a deployment server to distribute thetechnology add-ons (TAs) and configurations across the domain controllers and

29


32/65

DNS servers in your environment. Once configured, the deployment servermakes configuration management much easier - you only have to make achange in one place, versus on each AD server.

Important:

If you do not have a deployment server, or you do not wish to use a deploymentserver to distribute add-ons and configuration files, then do not proceed further.

Deploy the Splunk App for Active Directory technologyadd-ons from a deployment server

Before you deploy the TAs onto the universal forwarders, configure them to pointto the correct indexes on the central Splunk instance. Read "Configure anddeploy the technology add-ons" for specific instructions.

To distribute TAs and configurations across your AD servers:

1. Designate or install a full Splunk instance as a deployment server.

Review "Plan a deployment" in the core Splunk documentation forinstructions.

2. Create a serverclass.conf that controls the distribution of your Splunk App forActive Directory.

Review "Define server classes" in the core Splunk documentation.We have provided an example serverclass.conf which you can edit tomeet your needs.

3. Configure all universal forwarders to pull configurations from the deploymentserver.

Review "Configure deployment clients" in the core Splunk documentation.

4. Restart Splunk on your deployment server.

Example serverclass.conf

Below is an example serverclass.conf that you can tailor to meet your specificneeds. This file belongs in %SPLUNK_HOME%/etc/system/local on your deploymentserver.

30


33/65

[serverClass:windows]

whitelist.0 = forest-*

whitelist.1 = eng-*

[serverClass:NT5_DC]


[serverClass:NT5_DNS]


[serverClass:NT6_DC]

whitelist.0 = eng-*

[serverClass:NT6_DNS]

whitelist.0 = eng-*

[serverClass:windows:app:Splunk_TA_windows]

restartSplunkd = true

[serverClass:NT5_DC:app:TA-DomainController-NT5]


[serverClass:NT5_DNS:app:TA-DNSServer-NT5]


[serverClass:NT6_DC:app:TA-DomainController-NT6]


[serverClass:NT6_DNS:app:TA-DNSServer-NT6]


Configure the SA-ldapsearch supporting add-on

This topic discusses the steps needed to install the SA-ldapsearch supportingadd-on (SA) into your Splunk App for Active Directory environment.

Configure the ldap.conf file in SA-ldapsearch

To install the SA-ldapsearch SA onto the central Splunk instance:

1. Place the SA-ldapsearch folder into %SPLUNK_HOME%\etc\apps on the centralSplunk instance.

Note: If your central Splunk instance is set up as a distributed environment, thenyou must install the app onto all servers that act as search heads. We strongly

31


34/65

suggest you use a deployment server to send apps and configurations to all ofthe search heads in a distributed central Splunk instance.

2. Make a copy of %SPLUNK_HOME%\etc\apps\SA-ldapsearch\default\ldap.confand place it into %SPLUNK_HOME%\etc\apps\SA-ldapsearch\local .

3. Open the copied file in local for editing.

4. In this file, provide the host and credentials that should be used to search theActive Directory databases. For more information, see "Stanza types forldap.conf" below.


Stanza types for ldap.conf

The ldap.conf file has two types of stanza, all of which are required to monitor asingle domain:

Informational stanza

The first stanza type - the informational stanza - provides information about adomain. The stanza name must be one of the following:

The NetBIOS name of the domain (for example, SPL).The fully-qualified domain name (FQDN - for example, spl.com).

This stanza has the attributes shown below.

Attribute Description Example

serverThe host name or IP address of a domaincontroller on the domain that you wish to search.

host1.spl.com

port

The LDAP port that the SA-ldapsearch SA should

connect to in order to authenticate into the server

specified in the server attribute. Thisattribute is optional, and if not present,

will default to 389.

389

ssl Whether or not SA-ldapsearch shouldattempt to connect to AD using SecureSockets Layer (SSL). Set to true toconnect with SSL and false to connectwithout SSL.

true

32


35/65

Important: If you specify true for thisattribute, then the AD server you specifymust have a valid SSL certificateinstalled. For additional information,

review "How to enable LDAP over SSLwith a third-party certification authority"(http://support.microsoft.com/kb/321051)and "How to troubleshoot LDAP overSSL connection problems"(http://support.microsoft.com/kb/938703)on Microsoft's support site.

basedn

The base Distinguished Name (DN) that the appshould use when binding to the Directory Service

to collect AD data

dc=spl,dc=com

binddn

The user, in LDAP format, that the app shouldbind to Active Directory as for the purposes ofcollecting AD data. The user must be able to read

all records in the directory, in every domain. Wedo not recommend using theAdministrator account.

cn=Administrator,cn=Users,

password

The password for the user defined in the bindas

attribute. The password can either beclear-text, or base-64 encoded. Tospecify a base-64 encoded password,place {64} before the password.

{64}fohhiuehgihgri

alternatedomain

The name format for the domain which was notused in the stanza name. For example, if you

used the FQDN for the domain as the stanzaname, here you must specify the domain's

NetBIOS name.

SPL

Default stanza

The second stanza type is the default stanza. Use this stanza when you want tospecify the name of a forest-level global catalog (GC) server.

Attribute Description Example

serverThe host name or IP address of a global catalog (GC)server. Used for contextual AD lookups.

dc1.spl.com

port The LDAP port that the SA-ldapsearch SA should connect

to on the GC server specified in the server attribute.389

33


36/65

This attribute is optional, and if not present, willdefault to 389.

ssl

Whether or not SA-ldapsearch should attempt toconnect to the GC server using Secure Sockets

Layer (SSL). Set totrue

to connect with SSLand false to connect without SSL.

Important: If you specify true for this attribute,then the GC server you specify must have avalid SSL certificate installed. For additionalinformation, review "How to enable LDAP overSSL with a third-party certification authority"(http://support.microsoft.com/kb/321051) and"How to troubleshoot LDAP over SSL connectionproblems"

(http://support.microsoft.com/kb/938703) onMicrosoft's support site. Defaults to false.

false

Example ldap.conf

Following is an example ldap.conf.

Important: Do not use this file as is. You must modify it to fit your specific usecase.

[spl.com]

server = host1;host2;host3port = 389

ssl = false

basedn = dc=spl,dc=com

binddn = cn=Administrator,cn=Users,dc=spl,dc=com

password = {64}fohhiuehgihgri

alternatedomain = SPL

[default]

server = 172.19.0.2

port = 389

ssl = false

Install the app onto the central Splunk instance

After you have configured the various technology add-ons for the Splunk App forActive Directory, you must now install the app itself onto your central Splunkinstance.

34


37/65

Once installed, users can log into the app and view data collected from your ADdomain controllers and DNS servers.

Install the app onto your central Splunk instance

To install the Splunk App for Active Directory onto the central Splunk instance:

1. Place the Splunk_for_ActiveDirectory folder into %SPLUNK_HOME%\etc\appsonto the central Splunk instance.

Note: If your central Splunk instance is set up as a distributed environment, thenyou must install the app onto all servers acting as search heads. We stronglysuggest you use a deployment server to send apps and configurations to all ofthe search heads in the instance.

2. Make a copy of%SPLUNK_HOME%\etc\apps\Splunk_for_ActiveDirectory\default\eventtypes.conf

and place it into %SPLUNK_HOME%\etc\apps\Splunk_for_ActiveDirectory\local .

3. Open the copied file in local for editing.

4. In this file, ensure that the following stanzas have the correct index definedwithin each search attribute:

[admon]

[wineventlog-security]

[wineventlog-ds]

[wineventlog-dns]

[perfmon]

[powershell]

[ad-files]

Following is an example of the pertinent section of eventtypes.conf:

[admon]

search = index=msad source=ActiveDirectory

[wineventlog-security]

search = index=main source=WinEventLog:Security

[wineventlog-ds]

search = index=winevents source="WinEventLog:Directory Service"

[wineventlog-dns]

35


38/65

search = index=winevents sourcetype=WinEventLog:DNS-Server

[perfmon]

search = index=perfmon source="Perfmon:*"

[powershell]

search = index=msad source=Powershell

[ad-files]

search = index=msad

5. Remove any unchanged stanzas from the file.


36


39/65

Upgrade the Splunk App for Active

Directory

Upgrade the Splunk App for Active Directory

This topic discusses what you must do to upgrade your Splunk App for ActiveDirectory environment from a previous version.

Overview

The upgrade process for the Splunk App for Active Directory is simple,particularly if you have a deployment server to distribute applications andconfigurations across your servers.

There are some important steps you must take in order to upgrade successfully:

Upgrading from version 1.0 to version 1.1.4?

First, you must distribute the upgraded technology add-ons to all of theuniversal forwarders in your Splunk App for Active Directory environment.

Next, you must upgrade the Splunk App for Active Directory itself andinstall the new SA-ldapsearch supporting add-on into your central Splunkinstance.

Finally, you must rebuild the lookup tables which the Splunk App for ActiveDirectory uses to populate its dashboards, views and reports. This laststep is very important and, if you do not perform it, will result inmissing or incorrect information in your Splunk App for ActiveDirectory deployment.

Upgrading from version 1.1 to version 1.1.4?

First, you must distribute the upgraded technology add-ons to all of theuniversal forwarders in your Splunk App for Active Directory environment.

Then, you must rebuild the lookup tables which the Splunk App for Active

Directory uses to populate its dashboards, views and reports. This laststep is very important and, if you do not perform it, will result inmissing or incorrect information in your Splunk App for ActiveDirectory deployment.

37


40/65

Upgrade the Splunk App for Active Directory

To upgrade the Splunk App for Active Directory to the latest version, follow thesesteps:

1. Download the updated Splunk App for Active Directory package fromSplunkbase and unpack it to an accessible location.

2. Download the new SA-ldapsearch supporting add-on and unpack it to anaccessible location.

Important: The SA-ldapsearch supporting add-on replaces the Perl LDAPcommands that come with the Splunk App for Active Directory.

3. Upgrade the Splunk for Active Directory technology add-ons (TAs):

a. Place the updated TAs into $SPLUNK_HOME/etc/deployment-apps on yourdeployment server.

b. Edit the TAs, as described in "Configure and deploy the technology add-ons".

c. Finally, deploy the TAs, as described in "Deploy TAs and configurations with adeployment server."

Note: If you do not have a deployment server, or do not wish to use one todeploy the updated TAs, then you must manually copy the TAs to

%SPLUNK_HOME%\etc\apps on each domain controller or DNS server, as describedin "Configure and deploy the technology add-ons" and "How to deploy the SplunkApp for Active Directory". You will also need to manually restart each universalforwarder in your Splunk App for Active Directory environment for the changes totake effect.

4. Edit the eventtypes.conf file within the main Splunk App for Active Directorypackage, as described in "Install the Splunk App for Active Directory.

Note: You can also copy your existing eventtypes.conf on your central Splunkinstance.

5. Edit the ldap.conf file within the SA-ldapsearch supporting add-on package,as described in "Configure the SA-ldapsearch supporting add-on".

Note: You can use the activedirectory.conf from your existing central Splunkinstance as the basis for the new ldap.conf.

38


41/65

6. Remove the existing Splunk App for Active Directory installation from allservers in your central Splunk instance by deleting theSplunk_for_ActiveDirectory folder within $SPLUNK_HOME/etc/apps.

7. Deploy the new Splunk_for_ActiveDirectory app by placing it into

$SPLUNK_HOME/etc/apps on all servers in your central Splunk instance.

8. Deploy the new SA-ldapsearch supporting add-on by placing it into$SPLUNK_HOME/etc/apps on all search heads in your central Splunk instance.

9. Restart the central Splunk App for Active Directory instance:

First, restart all search heads in the central Splunk instance.

Then, restart all indexers in the instance.

Rebuild the Splunk App for Active Directory's lookup tables

Once you have updated the Splunk App for Active Directory, you must updatethe app's lookup tables so that it properly presents your data.

Important: If you are upgrading from version 1.0 to version 1.1.4, be sure to readthe upgrade instructions for version 1.1 for instructions on how to updateadditional lookup tables that are not shown in this topic.

1. Log into your central Splunk instance.

2. Once logged in, click the Splunk Home tab, then select Splunk App forActive Directory in the list.

3. On the Splunk App for Active Directory's Topology Report page, click theSearch menu in the upper left corner.

4. On the Search page, set the time picker (the drop down menu on the rightedge of the search bar), to "Last 30 days".

5. In the search bar, type in and execute the following search command to

rebuild the Domain Selector lookup table:

`domain-selector-search`|outputlookup DomainSelector.csv

Note: Be sure to include the back-quotes (`) that surround the search commandelements.

39


42/65

6. Next, type in and execute the following search command to rebuild the Host toDomain lookup table:

`domain-list`|outputlookup DomainList.csv

Note: Once each rebuild is complete, Splunk prints a message in the searchwindow stating that the rebuild was successful.

40


43/65

Use the Splunk App for Active Directory

Log in and get started

This topic shows you how to log in to Splunk Web, access the Splunk App forActive Directory, and get started.

Log in to Splunk Web

To log into Splunk Web and access the Splunk App for Active Directory, navigateto:

http://:8000

Use the host and port you chose during installation of Splunk. The default port is8000.

The first time you log in to Splunk, the default login details are:Username: adminPassword: changeme

Splunk recommends that you change the admin password to a secure password.

Access the Splunk App for Active Directory

Once you've logged in to Splunk Web, you'll see the Welcome page.

Click the "Splunk Home" tab, which lists all the apps that are currently installed.You should see the Search and Getting Started apps, as well as the SplunkApp for Active Directory.

Then, to access the Splunk App for Active Directory, click on it in the list.

To learn about the various dashboards available, review "Dashboard reference."

Configuration

The Splunk App for Active Directory does not have configurable elements withinthe application itself. You perform all configuration during the app's setup phase.

41


44/65

Review the following topics in this manual for additional information:

Overview

What a Splunk App for Active Directory deployment looks like

Installation

How to deploy the Splunk App for Active DirectoryEnable auditing and PowerShell on domain controllersConfigure and deploy the technology add-onsConfigure the SA-ldapsearch supporting add-onDeploy TAs and configurations with a deployment serverInstall the app onto the central Splunk instance

Dashboard reference overview

The Splunk App for Active Directory comes with several dashboards that giveyou in-depth access to the operation, health and security status of your ActiveDirectory environment. This topic provides links to other topics that describe thedashboards in detail.

The Splunk App for Active Directory has four menus which provide access todata collected by the app in various ways:

Search: This menu allows you to use search commands to retrieve anydata collected by the app, and presents events that match search termsthat you enter, much like regular Splunk.

Operations: The Operations menu offers information on your ActiveDirectory's topology, domain, and DNS statuses, as well as reports onhealth, performance and replication status.

Security: The Security menu provides insight into your Active Directory'ssecurity profile and operations, including activity on security principal

objects as well as changes to AD itself. There are several audit reportswhich detail the current status of users, computers, groups, and grouppolicy objects.

Change Management: The Change Management menu provides detailsof the recent changes that administrators and valid delegates have made

42


45/65

to your Active Directory environment.

Dashboard reference: Operations

This topic discusses the various dashboards available under the Operationsmenu in the Splunk App for Active Directory.

Topology Report

When you first log into the Splunk App for Active Directory, it displays theTopology Report: a view of all of the AD forests, domains, and domain controllersknown to the Splunk App for Active Directory at the present time. You can returnto this dashboard at any time by selecting Operations > Topology Report fromthe menus below the Splunk App for Active Directory banner.

The Topology Report dashboard is split into two halves, top and bottom. The tophalf of the dashboard is a selection panel which allows you to choose the forests,sites, domains, and domain controllers that are known to the Splunk App forActive Directory. You can select multiple objects at a time by holding down theCtrl key and clicking on the desired entries.

The bottom half of the dashboard displays additional information based on whatyou select on the top half. It displays detailed information on the domaincontrollers in the selected forest and domain, and includes the followingstatistics:

The host name of the domain controller (DC).The AD site that the DC belongs to.The operating system and version of Windows the server runs.The AD Flexible Single Master Operation (FSMO) role(s) the server holds.Information on the Directory Service Agent (DSA) options available for theDC.

Information on the status of the AD services that the machine runs.Information on whether or not the server has registered itself in DNS.Information on whether or not the machine's SYSVOL share is available

on the network.

In this dashboard, the operations master roles for each server are indicated byicons shown under the "Master Roles" column.

Icon Role Description

43


46/65

SchemaMaster

The Schema Master controls all updates to the Active Directory'sschema, then replicates it to all other domain controllers in the forest.

There can be only one Schema Master in an entire forest.

Domain

Naming Master

The Domain Naming Master controls the naming of all domains withinthe forest. It is the only domain controller that can add or remove

domains from Active Directory. As such, only one Domain NamingMaster can be present in a forest.

Relative IDMaster

The Relative ID Master domain controller maintains the relative ID(RID) resource pool and is responsible for allocating RIDs to other

domain controllers within a domain when they are requested during thecreation of security principle objects like users and groups. There can

only be one RID Master in a domain.

PDC Emulator

Master

This domain controller emulates the Primary Domain Controller (PDC)role for a domain and handles time synchronization across the domain.It also handles various PDC duties (such as password changes,

account lockouts and GPO manipulation) for domains which have bothWindows Server 2000 and Server 2003 domain controllers present.

Only one PDC emulator can be present in a domain.

Infrastructure

Master

The Infrastructure Master handles updates to the security identifier(SID) and distinguished name (DN) of an object that is

cross-referenced by another object in another domain. There can onlybe one Infrastructure Master in a domain.

The DSA options are listed as icons under the "DSA Options" column:

A globe indicates that the server is a Global Catalog (GC).A padlock indicates that the server is a Read-only Domain Controller(RODC).

You can click on any domain controller in the list to get additional informationabout that domain controller. See Domain Controller status for more details.

You can limit the number of domain controller objects displayed by selecting theShow nentries list box on the left. You can also search for a specific string(such as the name of a domain controller) by typing in the string in the Search:field on the right.

Domain Services

The Domain Services series of dashboards display information on the selecteddomains, sites, and domain controllers.

44


47/65

Domain Status

The Domain Status dashboard gives you information on the selected domain,including:

Which domain controllers in the domain hold AD operations masters rolesWhich site(s) the domain is a part ofWhich domain controllers control the domain

You can choose which domain you want to view by choosing it in the Domaindrop-down list in the Domain Status pane of the dashboard.

You can click on one of the listed sites to get additional information about thesite. See (Site status).

You can click on one of the listed domain controllers to get additional informationabout that controller. See DC status.

You can also adjust how much data you see by selecting the time range youdesire in the time range picker.

Site Status

The Site Status dashboard gives you information about the sites in your ActiveDirectory forest, including:

Information on which domain controller holds the Inter-site TopologyGenerator AD operations master role.

A list of the domains included in the site.A list of the domain controllers included in the site.A list of the IP network subnets configured for the site.The number and replication status of any site links between this and otherAD sites.

The targeted and actual weighting of Active Directory-related activityacross all of the domain controllers for a particular domain.

In the Site Status pane of this dashboard, you can select the site you want to

view by choosing it in the Site drop-down list. This automatically updates theDomain drop down list next to it, which lets you view more information about thechosen domain.

You can click on a domain in the Domains in Site list to get more informationabout that domain.

45


48/65

You can click on a domain controller in the Domain Controllers in Site list to getdetails about that domain controller.

You can also adjust how much data you see by selecting the time range youdesire in the time range picker.

Domain Controller Status

The Domain Controller Status dashboard gives you information on the domaincontrollers in your Active Directory environment, including:

Information on Directory Services performance, with spark lines andaverage values over time for important DS related performance counters.

Information on replication performance, also with spark lines and averagevalues over time.

Any anomalous events that you should be aware of.

You can click on individual counters in both the Directory Servicesperformance and Replication Performance sections of the dashboard toreview specifics about the values returned by those objects.

You can also adjust how much data is displayed by selecting the time range youdesire in the time range picker.

DNS Services

The DNS Services series of dashboards displays information about the health,configuration, and performance of Active Directory DNS operations. As DNS is avital component of Active Directory, problems displayed here might assist in thetroubleshooting and analysis of Active Directory itself.

DNS Services dashboards are accessible at any time by selecting Operations >DNS Svcs > DNS Status from the menus below the Splunk App for ActiveDirectory banner.

DNS Status

The DNS Status dashboard displays an overview of current DNS operations andincludes:

A selectable list of known DNS servers in your AD environment. Thisincludes server host name, the status of DNS on the server, the zones inwhich it participates, the OS version and service pack level, and a spark

46


49/65

line depicting the average amount of DNS queries per second.A selectable list of known DNS zones in the environment. This consists ofthe zone name, the servers that control the zone, the number of records inthe zone and a breakdown of specific record types.

A list of anomalous DNS related events that have recently occurred.

You can select a server in the DNS Servers list to get more information aboutthat server. See DNS Server status.

You can select a zone in the DNS Zones list to get additional details about thatzone. See DNS Zone Information.

You can click on an anomalous event in the Anomalous events list to getspecifics about that event.

You can also adjust how much data is displayed by selecting the time range youdesire in the time range picker at the top of the dashboard. When you click on themagnifying glass button above, you refresh the data shown in the dashboard.

DNS Server Status

The DNS Server Status dashboard is similar to the Domain Controller statusdashboard described above. However, this dashboard contains information aboutDNS Query Performance and Recursion Performance instead of AD DirectoryServices and replication performance.

You can click on a performance metric in either performance pane to get detailsabout the selected metric. An Anomalous Events pane at the bottom of thedashboard lists events that warrant further investigation.

You can also adjust how much data is displayed by selecting the time range youdesire in the time range picker at the top of the dashboard.

DNS Zone Information

The DNS Zone Information dashboard contains details about a known ActiveDirectory DNS zone, including:

Important DNS zone configuration settings.A list of the DNS servers that control the zone.The status of replication of DNS servers that control the zone, andwhether or not those servers are out of sync.

47


50/65

Note: You cannot change DNS settings in this dashboard. To change DNSsettings, you must use the DNS configuration tool on the DNS server(s) thatcontrol the zone that you wish to change.

You can get additional information about the DNS servers that control the zone

by selecting the desired server in the DNS Servers list. See DNS Server statusfor additional information.

You can choose which DNS Zone you want to display by selecting it in the DNSZone: drop-down list at the top of the dashboard.

You can also adjust how much data is displayed by selecting the time range youdesire in the time range picker.

DNS Performance

The DNS Performance dashboard lets you view specific DNS performancemetrics in chart form, based on the server and performance metrics you choosein the drop-down lists on the upper right portion of the dashboard.

Each metric is overlaid with CPU performance information so that you cancorrelate anomalous readings with CPU usage in real time.

You can adjust how much data is displayed by selecting the time range youdesire in the time range picker on the upper left side of the dashboard.

DNS Reports

The DNS Reports collection allows you to generate reports on your DNSoperations by running real-time searches against the collected DNS data. Thesereports include:

DNS Failing DomainsDNS Top Filing DomainsDNS Top Hosts sending failing queriesDNS Top Non-authoritative responsesDNS Top Querying Hosts

DNS Top Recursive Failure DomainsDNS Top Requested Queries

Note: In order to view these statistics, your DNS servers must have debuglogging enabled. If this feature is not turned on, then these reports will be blank.Review "Deployment process" for instructions.

48


51/65

Reports

The Reports series of dashboards provide insight into major health andperformance issues with your Active Directory environment. These dashboardsprovide one-step access to information on problems that are currently happening

within your environment, allowing you to quickly analyze and take appropriateaction.

Health Issues

The Health Issues dashboard displays active problems occurring with thedomain controllers within your AD forest. It also displays anomalous events thatyou should be aware of, such as reboots, problems with Knowledge ConsistencyCheckers (KCCs) on domain controllers, and other unexpected circumstances.

You can control how much information is displayed by selecting the time rangeyou desire in the time range picker on the upper left side of the dashboard.

Subnet Affinity Issues

Occasionally, a server will appear from an IP address that is not associated witha site. The Subnet Affinity Issues dashboard provides a concise report forhandling this case. When you see an IP address in this page, log on to yourForest Infrastructure Master and use the Active Directory Sites and Services toolto add the subnet and associate it with a Site. IP addresses that report morefrequently are closer to the top of the list.

You can control how much information is displayed by selecting the time rangeyou desire in the time range picker on the upper left side of the dashboard.

Replication issues

The Active Directory Replication Health dashboard lets you review current ADreplication agreements, and the status of those agreements.

You can change the context in which you view the replication agreements byselecting the Naming Context drop-down on the upper right side of the

dashboard.

You can also adjust how much time is considered when constructing the reportsby selecting the time range you desire in the time range picker on the upper left.

49


52/65

Performance

The Performance dashboard lets you view all AD-related performance metricsacross all domain controllers in your AD forest in a chart.

To view a metric, select the desired domain controller from the Server drop-downlist on the upper right of the dashboard. Then, select the performance Objectand, finally, the desired Counter in the same fashion.

The chart is displayed on the lower portion of the dashboard.

You can also adjust how much data is displayed by selecting the time range youdesire in the time range picker on the upper left portion of the window.

Dashboard reference: SecurityThe Security series of dashboards give you vision into the defense mechanismsof your Active Directory operations. They provide information on logon failures,attempts to controvert user security settings, and user utilization, as well asdisplay audits and reports on all AD objects in your environment.

Each of the Security dashboards is split into two sections. The top section of thedashboard is a selection panel which allows you to choose the forests, sites,domains, and domain controllers that are known to the Splunk App for ActiveDirectory to narrow your search. You can select multiple objects at a time. The

bottom portion of the dashboard displays additional information based on whatyou select on the top half.

You can also control how much data is displayed by selecting the time range youdesire in the time range picker on the upper left portion of the window.

User Logon Failures

The User Logon Failures dashboard provides insight into recent failed attemptsby users to log into your domain. Specific statistics include:

Failed logons over time.Failed interactive logons by IP address.Failed logons by reason (for example, expired password, locked account,or disabled account.)

Failed interactive logons by username.Failed logons by logon type.

50


53/65

Users failing to logon from multiple IPs (for example, an active attempt tobreak into the network.)

Anomalous Logons

Like the User Logon Failures dashboard, the Anomalous Logons dashboardcontains information about questionable user activity on your network. It alsoshows the more sinister attempts to access restricted network resources.Specific statistics displayed here include:

Users logging on from more than one AD siteUsers logging on from more than one workstationAttempts to log on to disabled or expired accounts

User Utilization

The User Utilization dashboard displays statistics on:

The number of logons over time.The top number of successful logons, by user.The number of locked accounts.The top number of authenticating workstations.

Audit

The Audit series of dashboards allow you to take stock of changes that have

happened to your Active Directory environment over time. The audits you canperform are:

Administrator auditComputer auditUser auditGroup auditGroup Policy AuditOrganizational Unit (OU) Audit

In all audit dashboards, you can control how much data is displayed by selecting

the time range you desire in the time range picker on the upper left portion ofeach dashboard.

51


54/65

Administrator Audit

The Administrator Audit dashboard displays information about recent activityby administrators in your AD environment. The dashboard displays the followingspecifics:

Administrator logons.Attempts by administrators to unlock accounts.Other administrative changes to user accounts.Administrative changes to computer accounts.Administrative changes to groups.Administrative changes to Group Policy and Group Policy objects.Additions, changes or deletions of computer accounts.

In the upper portion of the dashboard, you can choose the domain from whichyou want to display administrator audit data by selecting the Account Domain

drop-down list. You can further narrow down your search by selecting anadministrator from the Administrator drop-down list.

Clicking on a chart in the Administrator Audit dashboard takes you to one ofthe five other dashboards shown below.

Computer Audit

The Computer Audit dashboard displays information about access to ActiveDirectory from computer accounts, and includes statistics on:

Active Directory record.Group Membership.Accounts that were locked out after attempting a logon from a specificworkstation.

Failed logons from specific computers.

In the upper portion of the dashboard, you can choose the domain from whichyou want to display computer audit data by selecting the Account Domaindrop-down list. You must do so in order to get information on computer accountactivity within the domain.

You can further narrow down your search by typing in the name of a validcomputer account in the Computer Account field.

52


55/65

User Audit

The User Audit dashboard displays information about Active Directory userobjects, and includes specifics on:

Active Directory record.Group Membership.Accounts that were locked out after failing to logon properly.Failed logons by the selected workstation.

In the upper portion of the dashboard, you can choose the domain from whichyou want to display user audit data by selecting the Account Domain drop-downlist. You must do so in order to get information on user account activity within thedomain.

You can further narrow down your search by typing in the name of a valid userobject in the User Account field.

Group Audit

The Group Audit dashboard displays information about Active Directory groupobjects, and includes statistics on:

Active Directory record.A full Group Membership list.Recent changes to the group membership.

In the upper portion of the dashboard, you can choose the domain from whichyou want to display user audit data by selecting the Account Domain drop-downlist. You must do so in order to get information on group account activity withinthe domain.

You can further narrow down your search by typing in the name of a valid groupobject in the Group Name field.

Group Policy Audit

The Group Policy Audit dashboard displays information about Active DirectoryGroup Policy objects (GPOs), and includes statistics on:

Which group policy objects are linked to which containers.Recent changes to group policy.

53


56/65

In the upper portion of the dashboard, you can choose the domain from whichyou want to display user audit data by selecting the Domain drop-down list. Youcan further narrow down your search by typing in a valid GPO in the GroupPolicy Name field.

Organizational Unit (OU) Audit

The OU Audit dashboard displays information about Active DirectoryOrganizational Units and includes statistics on Active Directory record.

In the upper portion of the dashboard, you can choose the domain from whichyou want to display user audit data by selecting the Domain drop-down list. Youcan further narrow down your search by typing in a valid OU in theOrganizational Unit Name field.

Reports

The Reports series of dashboards displays detailed information about allaspects of your Active Directory environment.

You can display and print the following reports:

Computer Accounts:AllDomain controllers onlyNew

DeletedActiveInactiveUnusedDisabledTrustedNo Manager (The object doe

splunk activedirectory 1.1.4 deployad

Documents