Parser for Windows Active Directory

[Warlitos]

We recently integrated Windows AD via syslog with SC4S, but there is no Microsoft Windows Active Directory known vendor in SC4S. I tried to use the sourcetypes from "Splunk Add-on for Microsoft Windows" installed in Splunk Cloud, but I am not able to make it work and logs index without parsing. Is it necessary to create a SC4S parser for Windows AD in this case or is there a workaround I'm not aware of?

What is the sc4s version ? 2.49.5

Is there a pcap available? Can be supplied, but standard Windows AD logs

What the vendor name? Microsoft

What's the product name? Windows AD (WinEventLog)

Feature Request description: Parser for Windows AD XML and non XML logs

Should it support TCP or UDP? I guess both, in this case it´s received through UDP.

[mstopa-splunk]

Hi @Warlitos which sourcetype is assigned to Windows AD currently? Please fetch a few raw events for us to develop/test. Let me know if I should send instructions how to do that

[Warlitos]

Hello @mstopa-splunk, I tried configuring WinEventLog on splunk_metadata.csv.

windows_ad,sourcetype,WinEventLog

And the events index in Splunk Cloud with sourcetype=WinEventLog, but do not get parsed. We have other sources from Windows AD via UF->HF->Cloud that are being parsed properly with sourcetype=WinEventLog.

I attached a file with 4 raw events of different Windows event codes. I can provide more if needed or change the source format to XML. windows_ad_raw_events.txt

[mstopa-splunk]

@Warlitos I need to close this issue, because Windows is not supported by SC4S in general, it's not a typical syslog source.

If I understand correctly, you currently don't use SC4S for Windows AD, only UF->HF->Cloud, some sources are being parsed, some not. If SC4S has never been used in this process, please contact Splunk support so they can help with the addon. If SC4S is part of the process and works for some events and not for the others, please reopen this issue or refer to it in the new one.