{"id":12237,"date":"2010-03-24T08:45:14","date_gmt":"2010-03-24T13:45:14","guid":{"rendered":"http:\/\/www.anthonyreinke.com\/?p=237"},"modified":"2010-03-24T08:45:14","modified_gmt":"2010-03-24T13:45:14","slug":"daily-splunk-reports","status":"publish","type":"post","link":"https:\/\/anthonyreinke.com\/index.php\/2010\/03\/24\/daily-splunk-reports\/","title":{"rendered":"Daily Splunk Reports"},"content":{"rendered":"<p>So I am a full convert and profit of <a href=\"http:\/\/www.splunk.com\" target=\"_blank\">Splunk<\/a> now. \u00a0I have been using it at work for around 4 months now. \u00a0I have rolled it out to our domain controllers and have started rolling it to all our Windows and *nix servers. \u00a0The ability to find out who did what has made my job so much easier. \u00a0There was an incident where an OU was deleted in our AD. \u00a0I was able to see exactly who and when did it. \u00a0Normally this type of searching wasn&#8217;t possible or at least hard to get due to the size of our infrastructure. \u00a0Our Event Logs roll over around once an hour. \u00a0The OU was deleted 8 hours before we were contacted.<\/p>\n<p>Here is a few of the reports I have scheduled to get every morning to take a look at what has happened in my environment.<\/p>\n<p>User Accounts deleted:<\/p>\n<p>EventCode=&#8221;630&#8243; | fields Caller_User_Name, Target_Domain,\u00a0 Target_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Deleted_Account | rename host as DomainController | rename Target_Domain as Users_Domain<\/p>\n<p>User Accounts created:<\/p>\n<p>EventCode=&#8221;624&#8243; | fields Caller_User_Name, New_Domain, New_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Modified_Account | rename host as DomainController | rename New_Domain as New_Account_Domain<\/p>\n<p>Computer Accounts deleted:<\/p>\n<p>EventCode=&#8221;647&#8243; | fields Caller_User_Name, Target_Domain, Target_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename Target_Account_Name as Deleted_Computer | rename host as DomainController | rename Target_Domain as Removed_Domain<\/p>\n<p>Computer Accounts created:<\/p>\n<p>EventCode=&#8221;645&#8243; | fields Caller_User_Name, New_Domain, New_Account_Name, host | collect | rename Caller_User_Name as Who_Did_It | rename New_Account_Name as New_Computer | rename host as DomainController | rename New_Domain as Joined_Domain<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So I am a full convert and profit of Splunk now. \u00a0I have been using it at work for around 4 months now. \u00a0I have rolled it out to our domain controllers and have started rolling it to all our Windows and *nix servers. \u00a0The ability to find out who did what has made my [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-12237","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/posts\/12237","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/comments?post=12237"}],"version-history":[{"count":0,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/posts\/12237\/revisions"}],"wp:attachment":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/media?parent=12237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/categories?post=12237"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/tags?post=12237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}