You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
admingit
9fb61c78af
|
12 months ago | |
|---|---|---|
| .. | ||
| appserver | 12 months ago | |
| default | 12 months ago | |
| lookups | 12 months ago | |
| metadata | 12 months ago | |
| samples | 12 months ago | |
| static | 12 months ago | |
| .DS_Store | 12 months ago | |
| README.txt | 12 months ago | |
| app.manifest | 12 months ago | |
| splunkbase.manifest | 12 months ago | |
README.txt
MS Windows AD Objects = 4.1.1
- Release Notes:
- Fixed Dashboards:
- Fixed several css's for Dashboards, including getting started wizard
- Removed hardcoded content from AD Object - Group Changes
- New Features:
- Multi-Domain - Splitting Lookups:
- Added the capability to split out AD_Obj_(User/Group/Computer) lookups into separate lookups for domains.
- This will help with the issue where large, mult-domain, environments were having issues with KV Store Lookup sizing.
- With this capability, the sizes of the Lookups will be greatly reduced.
- Use the dashboard "AD Objects - CFG - Split KVs" dashboard in the Configuration Dashboards - Advance Configuration menu
- NOTE: This configuration does require some manual steps, which is outlined in the "AD Objects - CFG - Split KVs" dashboard.
- Important Note: In order to provide this support, updated macros had to be created to replace previous ones, for building lookups and correlation searches. Also, there is now a Domain Dropdown that will need to be selected first in most of the dashboards.
- Added multiple Reports for analyzing collected Registry Data.
- Updated css styling, to establish a common look and feel with the dashboards.
- Updated several of the lookups multivalue columns, to speed up searches and take advantage of KV Store's multivalue searching capabilities.
- Multiple other fixes to dashboards, reports and field extractions based off of customer feedback.
Required TA: Splunk Add-On for Microsoft Windows version 4+
Configuration:
Required: For first time installation and upgrading from version 3.x and below
- You will need to first walk through the "Configuration - Getting Data In" dashboard located in "MS Windows AD Objects --> Configuration --> Configuration - Getting Data In".
Optional: If you are upgrading from version 4.0.3, you do not need to run through the Getting Started dashboard wizard.
Configuration - Getting Data dashboard wizard Overview:
- This dashboard will walk you through the process for installation, enabling data inputs, configuration and the required
building of the AD Objects Lookup Tables. The specific steps for your environment are determined by the selections you
make in the second task of the wizard "Scope Definition".
- Below are the different tasks that are covered in this initial configuration wizard:
- This Guide is specifically designed to help you not only configure the MS Windows Application,
but also to help quickly get your Windows and Active Directory data in to Splunk.
- To aligned the configuration steps to your Splunk Environment and Deplyoment needs,
the 1. Scope Definition will collect some basic information about your environment and deployment plans.
- How to use this Guide
- Each Section Step of this guide builds on the previous Part, verify each of the previous steps or requirements
have been completed before proceeding to the next Part.
- Goals for the Guide
- At the end, you will have your Windows/Active Directory data flowing into Splunk, have the MS Windows AD Objects
application configured and well on your way to start leveraging the power of Splunk.
Guide Part Descriptions
- Section Step 1: Scope Definition
- Required: This step is used to align the subsequent steps with your environment and deployment plans.
- Section Step 2: Preparation
- Provides the preparation steps for the Splunk Core components, MS Windows AD Objects and TA Configuration are ready to receive the Windows data and deployment.
- Section Step 3: Deployment
- Covers the steps for distributing the previously configured Splunk Technical Add-Ons to the target Windows Systems.
- Section Step 4: Check Data
- This section provides you a way of verifying, and if necessary troubleshooting, previous configuration steps.
- Section Step 5: Build Lookups
- This last section walks through the the final step of building the MS Windows AD Object's lookup tables.
MS Windows AD Objects = 4.0.3
- Release Notes:
- Fixed the dn_path field extractions that is now required to be embedded in the searches/macros, since the ActiveDirectory sourcetype is a pre-trained sourcetype it cannot be done in the props/transforms.
- Added a lookup field that can be leveraged for filtering the lookup data. AD_Obj_User (lookup_usr), AD_Obj_Group (lookup_grp), AD_Obj_Computer (lookup_cmp) and AD_Obj_OU (lookup_ou)
- This way you can lookup a user/group/computer/ou details using the | lookup AD_Obj_... lookup_... AS ... search. So if an event has the distinguishedName or cn or sAMAccountName then it will match the lookup_... values
- Update the wineventlog props to put the user, and distinguishedName fields in lowercase for linking with the kvstore.
- Update the File Auditing Dashboards and Added in a couple reports.
- Update the searches to use the new field lookup_... vs having to run multiple lookups.
- Fixed Windows Eventlog fields extractions and EVAL's in props.conf for user_obj_...,group_obj_...,computer_obj_... and member_obj_... fields,