Another good report

Anthony Reinke — Wed, 24 Mar 2010 14:54:34 +0000

This will help to track down failed logins. This could be due to someone changing their password and still are logged in to a server with the old account information. The other side is that someone could be trying to brute force an account.

Type=”Failure Audit” sourcetype=”WinEventLog:Security” | chart count by User_Name | sort – count

Daily Splunk Reports

Anthony Reinke — Wed, 24 Mar 2010 13:45:14 +0000

So I am a full convert and profit of Splunk now. I have been using it at work for around 4 months now. I have rolled it out to our domain controllers and have started rolling it to all our Windows and *nix servers. The ability to find out who did what has made my job so much easier. There was an incident where an OU was deleted in our AD. I was able to see exactly who and when did it. Normally this type of searching wasn’t possible or at least hard to get due to the size of our infrastructure. Our Event Logs roll over around once an hour. The OU was deleted 8 hours before we were contacted.

Here is a few of the reports I have scheduled to get every morning to take a look at what has happened in my environment.

User Accounts deleted:

User Accounts created:

Computer Accounts deleted:

Computer Accounts created:

Anthony Reinke » id

Another good report

Daily Splunk Reports