Splunk Search Extended to Microsoft Active Directory
Through a new plug-in, Splunk has extended the capabilities of its namesake machine data search engine so it can mine operational information about Microsoft Active Directory deployments.
"There are a lot of challenges in managing an Active Directory infrastructure. We meet customers who have large Active Directory environments and they want to know what is happening before their users call in and complain they can't log in," said Manish Kalra, Splunk director of product marketing. "By getting all the log files and event logs from the Active Directory, we can see problems as they are happening."
With the Splunk App for Active Directory, administrators will be able to monitor Active directory operations, diagnose problems and anticipate upcoming issues. Splunk is demonstrating the application at Microsoft TechEd Europe 2012, being held this week in Amsterdam. It builds upon a similar tool the company released for Microsoft Exchange last year, Kalra said.
Run from Windows Server, Active Directory is Microsoft's user directory software, widely used in enterprises for user authentication as well as for configuration information about user computers.
The Splunk App for Active Directory offers a dashboard of common metrics to watch for in large Active Directory deployments. It can monitor operations at the forest level, site level, domain level or at individual domain controllers. The software can monitor for unusual activity, activity that could come from a security breach or some other form of non-compliant system usage. For instance, it can alert the administrator when there is an attempted log-in of a disabled account, or if two attempted log-ins from different geographic regions happen within a short period of time.
The software can also be used to audit changes made to group or user policies. Undocumented group policy changes are among "the biggest challenges we hear about" from large organizations, Kalra said. Changes in group policies can sometimes lead to unexpected issues. Usually an administrator won't hear about the trouble-causing change until a user complains. "We can tell you when a policy changed and who made the change," Kalra said.