One of our field people asked me if we could use the Splunk App for Active Directory to monitor Local Administrators on a list of hosts. The Splunk App for Active Directory monitors domain administrators (mostly through the SA-ldapsearch application, which provides custom commands for retrieving LDAP groups, and the Windows Security Event Log, which provides change monitoring through the audit configuration on a domain controller). So I put my thinking cap on and came up with this WMI methodology.
Firstly, a bit of background. WMI is the Windows Management Instrumentation – a sub-system within Windows that allows remote and local users to query the internals of the Windows OS. Most Splunkers use this to get things like the Win32_BIOS information, remote perfmon and event logs and similar things. We are going to use this for getting the contents of the local users and groups table.
WMI is split into classes, and the class we want is called Win32_GroupUser. Click on the link to get more detailed MSDN documentation on the class. We need a simple entry in a wmi.conf file like this:
[WMI:LocalAdmins] interval = 3600 disabled = 0 wql = SELECT * FROM Win32_GroupUser
This will give us an entry per user within a group. Each event looks like this:
20130726124002.422783 GroupComponent=\\SQL12\root\cimv2:Win32_Group.Domain="SQL12",Name="Administrators" PartComponent=\\SQL12\root\cimv2:Win32_UserAccount.Domain="SQL12",Name="Administrator" wmi_type=UserGroup
This is from my SQL server SQL12, so you can see all the entries are for the local machine. We can now do searches with this. The main one is to provide the list of users on each host that are in the Administrators group:
sourcetype="WMI:LocalAdmins" Name="Administrators" | rex field=_raw "PartComp.*?,Name=\"(?<UserName>[^\"]+)\"" | dedup host,Name,UserName | transaction host,Name | table host,UserName
For each host that is reporting, you will see a line with the name of the host and the list of local administrators. You can even monitor this remotely through WMI by adding a server list to the wmi.conf stanza.
Want to monitor more Windows stuff? Let us know what you want to monitor and it will make its way into a future blog post!