or Splunk

Asked Aug 07 '17 at 12:24

Active Oct 16 '17 at 20:06

Viewed 689 times

Id like to have a Splunk query to show LDAP Authentication/Binds to a group of AD servers. However, if this can be found via Windows events I can then write the query in Splunk. I'm a bit new with LDAP and Splunk...

Current search (50 or so results in 15 mins):

index="winevent" host="AD Servers" serviceBindingInformation |  stats count by Account_Name

This seems to show only "Message=A directory service object was modified." which is not what we are looking for.

Another search (over 6000 results in 15 mins):

index="winevent" host="AD Servers" LDAP

While I get far more results, I dont seem to have any that are showing Authentication or LDAP Binds. The event code for all of the results is:

5136: A directory service object was modified

Is there a different way to search for LDAP Authentication than how I am going about it or is there a change that should be made on AD or Splunk to allow visibility to view LDAP Authentication?

Thanks, C

edited Oct 16 '17 at 20:06

freginold

3,946
3
13
28

asked Aug 07 '17 at 12:24

coffeebrew

How about scanning the AD server logs ? – Roshith Aug 07 '17 at 23:20
I have done this however I am unable to determine which event or log entry correlates to the LDAP authentication binds. Any help here would be appreciated. Thanks for the reply! – coffeebrew Aug 14 '17 at 12:18

LDAP Authentication/Bind tracking via Windows Events and/or Splunk

0 Answers0