Group Changes and Rare/Frequent Admins etc. not displayed


Group Changes and Rare/Frequent Admins etc. not displayed

p

Greetings,

I've setup SuperCharger for AD monitoring using SPLUNK accurately following the documentation & webinar, however I'm not the Group Changes and Rare/Frequent Admins etc. in the SPLUNK app for LOGBINDER. Following the forums I've also tried couple of this like:

1) Checking "Domain_Controllers.csv" file
2) Running wecutil ss <ADChanges> /cf:Events
3) ETC.

Also noticed the below

1) 'admin_combined' macro is empty
2) No event in the collector ADChanges Log for 4730 or 4727

Have been trying to fix it for quite some time. What else can it be? Please SOS!!

Regards,
Parvez H. 
i

>1) 'admin_combined' macro is empty
That is indeed strange that admin_combined macro is empty, it should not be so. Check if the same macro is redefined in the local directory of the app.

>2) No event in the collector ADChanges Log for 4730 or 4727

4727 is not the only group creation event we are checking for these 

 ( EventCode=4727 OR EventCode=4731 OR EventCode=4754 )

with the group_creation_eventcodes macro. Please check if after creating a group one of those three is present in the logs?


p

imrago - 10/17/2017
[admin_combined]definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountNameiseval = 0>1) 'admin_combined' macro is empty
That is indeed strange that admin_combined macro is empty, it should not be so. Check if the same macro is redefined in the local directory of the app.

>2) No event in the collector ADChanges Log for 4730 or 4727

4727 is not the only group creation event we are checking for these 

 ( EventCode=4727 OR EventCode=4731 OR EventCode=4754 )

with the group_creation_eventcodes macro. Please check if after creating a group one of those three is present in the logs?


1) Yes, it is defined, please find below the contents of macro.conf file
[admin_combined]
definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountName

2) 4754 was triggered on group testing.

I had a few more observations:

3) For Group & Membership changes, values were empty for "Admin", "Group" & "Member Account Name" columns

4) Can you confirm, all configuration done in AD are just for the "Default Domain Controllers Policy", referring to your documentation, step 4 (configuring Event Forwarding) it refers to "Default Domain Policy", assuming it as a typo I configured the "Default Domain Controller Policy" itself. I hope this is not the issue.

5) The Managed Filter used "Builtin - Security: AD Changes", the XPATH does not monitor 4727 or 4731, I hope this is also normal. Since its a free edition I cannot modify the builtin filters.
i

parvii - 10/18/2017
imrago - 10/17/2017
[admin_combined]definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountNameiseval = 0>1) 'admin_combined' macro is empty
That is indeed strange that admin_combined macro is empty, it should not be so. Check if the same macro is redefined in the local directory of the app.

>2) No event in the collector ADChanges Log for 4730 or 4727

4727 is not the only group creation event we are checking for these 

 ( EventCode=4727 OR EventCode=4731 OR EventCode=4754 )

with the group_creation_eventcodes macro. Please check if after creating a group one of those three is present in the logs?


1) Yes, it is defined, please find below the contents of macro.conf file
[admin_combined]
definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountName

2) 4754 was triggered on group testing.

I had a few more observations:

3) For Group & Membership changes, values were empty for "Admin", "Group" & "Member Account Name" columns

4) Can you confirm, all configuration done in AD are just for the "Default Domain Controllers Policy", referring to your documentation, step 4 (configuring Event Forwarding) it refers to "Default Domain Policy", assuming it as a typo I configured the "Default Domain Controller Policy" itself. I hope this is not the issue.

5) The Managed Filter used "Builtin - Security: AD Changes", the XPATH does not monitor 4727 or 4731, I hope this is also normal. Since its a free edition I cannot modify the builtin filters.

Let we start with the Group changes table. 
If I get it correctly, the 4754 event is now present in Group Changes table, but the  "Admin" and "Group" columns are empty, is it so?

Admin field is populated based on admin_combined, and Group based on group_combined macros. You mentioned that admin_combined macro was empty. That might cause the Admin field to be empty. Where did you see that, in the Splunk GUI ( Advanced search » Search macros ) ?


p

imrago - 10/18/2017
parvii - 10/18/2017
imrago - 10/17/2017
[admin_combined]definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountNameiseval = 0>1) 'admin_combined' macro is empty
That is indeed strange that admin_combined macro is empty, it should not be so. Check if the same macro is redefined in the local directory of the app.

>2) No event in the collector ADChanges Log for 4730 or 4727

4727 is not the only group creation event we are checking for these 

 ( EventCode=4727 OR EventCode=4731 OR EventCode=4754 )

with the group_creation_eventcodes macro. Please check if after creating a group one of those three is present in the logs?


1) Yes, it is defined, please find below the contents of macro.conf file
[admin_combined]
definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountName

2) 4754 was triggered on group testing.

I had a few more observations:

3) For Group & Membership changes, values were empty for "Admin", "Group" & "Member Account Name" columns

4) Can you confirm, all configuration done in AD are just for the "Default Domain Controllers Policy", referring to your documentation, step 4 (configuring Event Forwarding) it refers to "Default Domain Policy", assuming it as a typo I configured the "Default Domain Controller Policy" itself. I hope this is not the issue.

5) The Managed Filter used "Builtin - Security: AD Changes", the XPATH does not monitor 4727 or 4731, I hope this is also normal. Since its a free edition I cannot modify the builtin filters.

Let we start with the Group changes table. 
If I get it correctly, the 4754 event is now present in Group Changes table, but the  "Admin" and "Group" columns are empty, is it so?

Admin field is populated based on admin_combined, and Group based on group_combined macros. You mentioned that admin_combined macro was empty. That might cause the Admin field to be empty. Where did you see that, in the Splunk GUI ( Advanced search » Search macros ) ?


Yes thats rite, I can see Date & Change under Group Changes table, but no values for Admin & Group columns

Yes I checked admin_combined under Advanced search >> Search macros.
i

parvii - 10/18/2017
imrago - 10/18/2017
parvii - 10/18/2017
imrago - 10/17/2017
[admin_combined]definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountNameiseval = 0>1) 'admin_combined' macro is empty
That is indeed strange that admin_combined macro is empty, it should not be so. Check if the same macro is redefined in the local directory of the app.

>2) No event in the collector ADChanges Log for 4730 or 4727

4727 is not the only group creation event we are checking for these 

 ( EventCode=4727 OR EventCode=4731 OR EventCode=4754 )

with the group_creation_eventcodes macro. Please check if after creating a group one of those three is present in the logs?


1) Yes, it is defined, please find below the contents of macro.conf file
[admin_combined]
definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountName

2) 4754 was triggered on group testing.

I had a few more observations:

3) For Group & Membership changes, values were empty for "Admin", "Group" & "Member Account Name" columns

4) Can you confirm, all configuration done in AD are just for the "Default Domain Controllers Policy", referring to your documentation, step 4 (configuring Event Forwarding) it refers to "Default Domain Policy", assuming it as a typo I configured the "Default Domain Controller Policy" itself. I hope this is not the issue.

5) The Managed Filter used "Builtin - Security: AD Changes", the XPATH does not monitor 4727 or 4731, I hope this is also normal. Since its a free edition I cannot modify the builtin filters.

Let we start with the Group changes table. 
If I get it correctly, the 4754 event is now present in Group Changes table, but the  "Admin" and "Group" columns are empty, is it so?

Admin field is populated based on admin_combined, and Group based on group_combined macros. You mentioned that admin_combined macro was empty. That might cause the Admin field to be empty. Where did you see that, in the Splunk GUI ( Advanced search » Search macros ) ?


Yes thats rite, I can see Date & Change under Group Changes table, but no values for Admin & Group columns

Yes I checked admin_combined under Advanced search >> Search macros.

Probably there is something not configured properly in 
%SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf

Did you change any of the macros in the app intentionally? If not, then it is safe to delete that file completely.  The definition field of the macro should not be empty.
p

imrago - 10/18/2017
parvii - 10/18/2017
imrago - 10/18/2017
parvii - 10/18/2017
imrago - 10/17/2017
[admin_combined]definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountNameiseval = 0>1) 'admin_combined' macro is empty
That is indeed strange that admin_combined macro is empty, it should not be so. Check if the same macro is redefined in the local directory of the app.

>2) No event in the collector ADChanges Log for 4730 or 4727

4727 is not the only group creation event we are checking for these 

 ( EventCode=4727 OR EventCode=4731 OR EventCode=4754 )

with the group_creation_eventcodes macro. Please check if after creating a group one of those three is present in the logs?


1) Yes, it is defined, please find below the contents of macro.conf file
[admin_combined]
definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountName

2) 4754 was triggered on group testing.

I had a few more observations:

3) For Group & Membership changes, values were empty for "Admin", "Group" & "Member Account Name" columns

4) Can you confirm, all configuration done in AD are just for the "Default Domain Controllers Policy", referring to your documentation, step 4 (configuring Event Forwarding) it refers to "Default Domain Policy", assuming it as a typo I configured the "Default Domain Controller Policy" itself. I hope this is not the issue.

5) The Managed Filter used "Builtin - Security: AD Changes", the XPATH does not monitor 4727 or 4731, I hope this is also normal. Since its a free edition I cannot modify the builtin filters.

Let we start with the Group changes table. 
If I get it correctly, the 4754 event is now present in Group Changes table, but the  "Admin" and "Group" columns are empty, is it so?

Admin field is populated based on admin_combined, and Group based on group_combined macros. You mentioned that admin_combined macro was empty. That might cause the Admin field to be empty. Where did you see that, in the Splunk GUI ( Advanced search » Search macros ) ?


Yes thats rite, I can see Date & Change under Group Changes table, but no values for Admin & Group columns

Yes I checked admin_combined under Advanced search >> Search macros.

Probably there is something not configured properly in 
%SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf

Did you change any of the macros in the app intentionally? If not, then it is safe to delete that file completely.  The definition field of the macro should not be empty.

No, I'vent made any explicit changes to any macros for the app. I've removed the macro file in "%SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf", but results are the same.
Please find attached search results for the "admin/group"_combined macros. 
i

parvii - 10/19/2017
imrago - 10/18/2017
parvii - 10/18/2017
imrago - 10/18/2017
parvii - 10/18/2017
imrago - 10/17/2017
[admin_combined]definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountNameiseval = 0>1) 'admin_combined' macro is empty
That is indeed strange that admin_combined macro is empty, it should not be so. Check if the same macro is redefined in the local directory of the app.

>2) No event in the collector ADChanges Log for 4730 or 4727

4727 is not the only group creation event we are checking for these 

 ( EventCode=4727 OR EventCode=4731 OR EventCode=4754 )

with the group_creation_eventcodes macro. Please check if after creating a group one of those three is present in the logs?


1) Yes, it is defined, please find below the contents of macro.conf file
[admin_combined]
definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountName

2) 4754 was triggered on group testing.

I had a few more observations:

3) For Group & Membership changes, values were empty for "Admin", "Group" & "Member Account Name" columns

4) Can you confirm, all configuration done in AD are just for the "Default Domain Controllers Policy", referring to your documentation, step 4 (configuring Event Forwarding) it refers to "Default Domain Policy", assuming it as a typo I configured the "Default Domain Controller Policy" itself. I hope this is not the issue.

5) The Managed Filter used "Builtin - Security: AD Changes", the XPATH does not monitor 4727 or 4731, I hope this is also normal. Since its a free edition I cannot modify the builtin filters.

Let we start with the Group changes table. 
If I get it correctly, the 4754 event is now present in Group Changes table, but the  "Admin" and "Group" columns are empty, is it so?

Admin field is populated based on admin_combined, and Group based on group_combined macros. You mentioned that admin_combined macro was empty. That might cause the Admin field to be empty. Where did you see that, in the Splunk GUI ( Advanced search » Search macros ) ?


Yes thats rite, I can see Date & Change under Group Changes table, but no values for Admin & Group columns

Yes I checked admin_combined under Advanced search >> Search macros.

Probably there is something not configured properly in 
%SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf

Did you change any of the macros in the app intentionally? If not, then it is safe to delete that file completely.  The definition field of the macro should not be empty.

No, I'vent made any explicit changes to any macros for the app. I've removed the macro file in "%SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf", but results are the same.
Please find attached search results for the "admin/group"_combined macros. 

If you put just that macro in the search it is expected to return nothing, it is just creating a new field based on two existing fields if they are present.

> I've removed the macro file 

please restart Splunk after removing that file, so that the change would take effect.

After the restart the  "Advanced search >> Search macros" should look like this:



p

imrago - 10/19/2017
parvii - 10/19/2017
imrago - 10/18/2017
parvii - 10/18/2017
imrago - 10/18/2017
parvii - 10/18/2017
imrago - 10/17/2017
[admin_combined]definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountNameiseval = 0>1) 'admin_combined' macro is empty
That is indeed strange that admin_combined macro is empty, it should not be so. Check if the same macro is redefined in the local directory of the app.

>2) No event in the collector ADChanges Log for 4730 or 4727

4727 is not the only group creation event we are checking for these 

 ( EventCode=4727 OR EventCode=4731 OR EventCode=4754 )

with the group_creation_eventcodes macro. Please check if after creating a group one of those three is present in the logs?


1) Yes, it is defined, please find below the contents of macro.conf file
[admin_combined]
definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountName

2) 4754 was triggered on group testing.

I had a few more observations:

3) For Group & Membership changes, values were empty for "Admin", "Group" & "Member Account Name" columns

4) Can you confirm, all configuration done in AD are just for the "Default Domain Controllers Policy", referring to your documentation, step 4 (configuring Event Forwarding) it refers to "Default Domain Policy", assuming it as a typo I configured the "Default Domain Controller Policy" itself. I hope this is not the issue.

5) The Managed Filter used "Builtin - Security: AD Changes", the XPATH does not monitor 4727 or 4731, I hope this is also normal. Since its a free edition I cannot modify the builtin filters.

Let we start with the Group changes table. 
If I get it correctly, the 4754 event is now present in Group Changes table, but the  "Admin" and "Group" columns are empty, is it so?

Admin field is populated based on admin_combined, and Group based on group_combined macros. You mentioned that admin_combined macro was empty. That might cause the Admin field to be empty. Where did you see that, in the Splunk GUI ( Advanced search » Search macros ) ?


Yes thats rite, I can see Date & Change under Group Changes table, but no values for Admin & Group columns

Yes I checked admin_combined under Advanced search >> Search macros.

Probably there is something not configured properly in 
%SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf

Did you change any of the macros in the app intentionally? If not, then it is safe to delete that file completely.  The definition field of the macro should not be empty.

No, I'vent made any explicit changes to any macros for the app. I've removed the macro file in "%SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf", but results are the same.
Please find attached search results for the "admin/group"_combined macros. 

If you put just that macro in the search it is expected to return nothing, it is just creating a new field based on two existing fields if they are present.

> I've removed the macro file 

please restart Splunk after removing that file, so that the change would take effect.

After the restart the  "Advanced search >> Search macros" should look like this:



After restarting SPLUNK, it now looks same as you screenshot under Advanced search >> Search macros with 44 items.
However the dashboard panels still missing Admin& Group columns. Anything to be done at the collector? I've already restarted the collector.
i

parvii - 10/19/2017
imrago - 10/19/2017
parvii - 10/19/2017
imrago - 10/18/2017
parvii - 10/18/2017
imrago - 10/18/2017
parvii - 10/18/2017
imrago - 10/17/2017
[admin_combined]definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountNameiseval = 0>1) 'admin_combined' macro is empty
That is indeed strange that admin_combined macro is empty, it should not be so. Check if the same macro is redefined in the local directory of the app.

>2) No event in the collector ADChanges Log for 4730 or 4727

4727 is not the only group creation event we are checking for these 

 ( EventCode=4727 OR EventCode=4731 OR EventCode=4754 )

with the group_creation_eventcodes macro. Please check if after creating a group one of those three is present in the logs?


1) Yes, it is defined, please find below the contents of macro.conf file
[admin_combined]
definition = eval Admin=SubjectAccountDomain."\\".SubjectAccountName

2) 4754 was triggered on group testing.

I had a few more observations:

3) For Group & Membership changes, values were empty for "Admin", "Group" & "Member Account Name" columns

4) Can you confirm, all configuration done in AD are just for the "Default Domain Controllers Policy", referring to your documentation, step 4 (configuring Event Forwarding) it refers to "Default Domain Policy", assuming it as a typo I configured the "Default Domain Controller Policy" itself. I hope this is not the issue.

5) The Managed Filter used "Builtin - Security: AD Changes", the XPATH does not monitor 4727 or 4731, I hope this is also normal. Since its a free edition I cannot modify the builtin filters.

Let we start with the Group changes table. 
If I get it correctly, the 4754 event is now present in Group Changes table, but the  "Admin" and "Group" columns are empty, is it so?

Admin field is populated based on admin_combined, and Group based on group_combined macros. You mentioned that admin_combined macro was empty. That might cause the Admin field to be empty. Where did you see that, in the Splunk GUI ( Advanced search » Search macros ) ?


Yes thats rite, I can see Date & Change under Group Changes table, but no values for Admin & Group columns

Yes I checked admin_combined under Advanced search >> Search macros.

Probably there is something not configured properly in 
%SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf

Did you change any of the macros in the app intentionally? If not, then it is safe to delete that file completely.  The definition field of the macro should not be empty.

No, I'vent made any explicit changes to any macros for the app. I've removed the macro file in "%SPLUNK_HOME%\etc\apps\logbinder\local\macros.conf", but results are the same.
Please find attached search results for the "admin/group"_combined macros. 

If you put just that macro in the search it is expected to return nothing, it is just creating a new field based on two existing fields if they are present.

> I've removed the macro file 

please restart Splunk after removing that file, so that the change would take effect.

After the restart the  "Advanced search >> Search macros" should look like this:



After restarting SPLUNK, it now looks same as you screenshot under Advanced search >> Search macros with 44 items.
However the dashboard panels still missing Admin& Group columns. Anything to be done at the collector? I've already restarted the collector.

Great, so the macro issue is resolved.  It remains to check if the fields used by the macro are present, for example by running in this dashboard
http://localhost:8000/en-US/app/logbinder/search

this query : 

`filter_dc_winseclog_events` `group_creation_eventcodes` | `group_combined` | table Group_Domain Group_Name Group


Or alternatively could you send a screenshot of the the raw group creation event in Splunk, to see that everything needed is present in the event? Please paint over if the parts which are sensitive to share.




GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search