Sifting through computer logs is a lot like digging a trench. It can be done with your hands, it can be done with a shovel, but if you’ve got a backhoe, life becomes much less strenuous. For computer logs, Splunk is a backhoe.
If you’re having issues with users logging in, the first thing you can do is search a username. Most domains have a separate user account for each person logging into that domain. So, if you think that Bill logged into your domain controller and changed some settings, search host=”domain controller name/ IP address” Bill. This brings up all of the times Bill has logged on and off of the domain controller and is a good way to check for security problems. Red flags get thrown up if a user suddenly is logging onto a server they shouldn’t have access to
A big demand in the tech world right now is Active Directory Monitoring. Splunk offers alerts thar can be sent to a console or by smtp (simple mail transfer protocol). I prefer the latter because, that way, you don’t have to sit and watch the console to see if something happens!
The way to configure alerts is fairly simple on the surface. You step through the handy dandy alert process and, most of the time, you immediately have something in the console. So what’s the issue? You’ve got to be very specific in your search string! Instead of just searching for Bill (using our example from before), search for his name, the host he’s logging into, and make sure you’re not searching “all time.” This will give you more relevant information.
The other way to look into active directory is by installing the Splunk app for Active Directory. This is available free on the Splunk site. It also requires a few more downloadable packages, but it will prompt you to use those. The Splunk app for Active Directory has a lot of potential; it looks at things like logins and logoffs, and the big one- analyzing changes in infrastructure. For those of us dealing with large domains or forests, this could be the answer to our prayers.