Integrating Active Directory into Splunk with SA-ldapsearch

On Tuesday, I introduced one of the first presentations at .conf2014 – a major update to the SA-ldapsearch app. This new app has now launched and you can download it at http://apps.splunk.com/app/1151/. The app consists of four specific commands: ldapsearch, ldapfetch, ldapfilter and ldapgroup.

Improvements include:

• We dropped the requirement for Java on your search head
• We added support for Search Head Pooling
• We added a GUI configuration page and connection testing
• We provided full UTF-8 support

The ldapsearch command is a generating command and is used in a similar way to other generating commands like inputlookup. You run it like this:

| ldapsearch domain=SPL search="(objectClass=user)" attrs="sAMAccountName,cn"

We have added some new features in this release. Firstly, the output is in JSON, so it’s a better format when you are looking at the raw events that come back. Secondly, you can search a subset of the data using the basedn and scope parameters. Let’s say all your users are in the ou=People container and it’s flat. You can optimize the above search like this:

| ldapsearch domain=SPL basedn="ou=People,dc=spl,dc=com" scope="sub" search="(objectClass=user)"

Of course, we kept the decoding of the attributes like the objectSID and other features you know and love.

If you want to augment the events you already have then you can use ldapfetch and ldapfilter. ldapfetch takes a distinguished name and fetches the object from Active Directory. ldapfilter uses fields to do a search. For example, let’s say you have an eventtype that has fields src_user and nt_domain (standard fields from the Common Information Model) and you want to add the persons real name and telephone number:

eventtype=my-event 
| stats count by src_user,nt_domain
| ldapfilter domain=$nt_domain$ search="(sAMAccountName=$src_user$)" attrs="cn,telephoneNumber"
| table src_user, nt_domain, cn, telephoneNumber

If that eventtype has a field called dn in it and the field contains the distinguished name of the object, we can do the same thing with ldapfetch:

eventtype=my-event 
| stats count by dn
| ldapfetch dn=dn attrs="sAMAccountName,cn,telephoneNumber"
| table sAMAccountName, cn, telephoneNumber

The final one is ldapgroup. This takes a distinguished name of a group and expands that group to the membership, taking into account nested groups and cyclical groups. It adds five multi-value fields to the event to provide information about the membership, including if they are listed in the group directly or indirectly via another group. You use it like this:

| ldapsearch domain=SPL search="(objectClass=group)" attrs="cn,distinguishedName"
| ldapgroup
| table cn,member_name,member_type

Hopefully, this new upgrade to our popular integration with Active Directory will help you with your reports. If you like this app, then perhaps you should also check out the Splunk App for Windows Infrastructure and monitor your Active Directory environment as well.