One of the critical components of configuring the Splunk Enterprise Security Suite involves building lookup tables for identities. This post will provide an overview of the steps required to get started with automatic identity lookup building using LDAP or Active Directory. This is by no means a comprehensive document of all possible configurations and options, but it should provide enough information to get you going in the right direction.
More often than not, you will already have much of this information already existing in another directory, such as Active Directory or LDAP. Fortunately, Splunk can be configured to automatically pull data from these sources and build the appropriate lookup tables for Enterprise Security.
Step 1: Configure the Splunk Supporting Add-on for Active Directory (SA-ldapsearch) to query your LDAP/Active Directory environment
Don’t be fooled by the name – just because this app is called the Splunk Support for Active Directory doesn’t mean that Active Directory is required. This app can be used to query any LDAP server. Download and install the Splunk Support for Active Directory app.
The following instructions were written for version 1.x of the app, which requires Java to function. The configuration should be similar on version 2.x, which no longer has the Java requirement.
As part of the app setup, configure ldap.conf for the domains you want to query:
Step 2: Use ldapsearch to generate the lookup table
These instructions are based on the steps found in the Splunk Enterprise Security Installation manual.
Substitute the domain (configured in ldap.conf) in the search as follows:
If referencing the Splunk documentation, leave the outputlookup command off since this lookup doesn’t exist yet.
If you are using an LDAP directory that is not Active Directory, this can still be queried using a similar method, but the table will be using different values depending on the LDAP structure.
Step 3: Create the lookup table file