Open Directory audit log data into Splunk

illustrated Splunk server configuration steps

I put Splunk server scripts for dispersing here

Splunk >> bin >> scripts

sudo nano /Applications/Splunk/bin/scripts/Example_OD.sh

 

Script input:

#!/bin/bash
sudo log stream –level info –style syslog

 

# trying json

sudo log stream –level info –style syslog

 

 

 

 

 

 

Forwarder Management:

Settings >> Forwarder management

Screen Shot 2019-09-21 at 7.59.06 AM.png

Settings >> Forwarder management >> Clients

B2019-09-21 at 8.05.33 AM.pngSettings >> Forwarder management >> Server Classes

Screen Shot 2019-09-21 at 8.00.03 AM.png

 

New Server Class

Screen Shot 2019-09-21 at 8.00.29 AM.png

 

 

Data >> Data Inputs

Screen Shot 2019-09-21 at 8.01.03 AM.png

 

Data >> Data Inputs >> Forwarded Inputs >> Scripts

Screen Shot 2019-09-21 at 8.10.52 AM.png

Change the sourcetype to jsonc2019-09-21 at 8.13.14 AM.png

 

Once everything is in place you should be able to search and find information in this example I created am account “teddyboy” in OPen Directory, the following shows a query from the script which stream the slapd, and opendirectoryd data

D09-21 at 8.41.17 AM.png

 

Change/check the local inputs.conf files from the scripts running on the Open Directory server.

sudo nano /Applications/SplunkForwarder/etc/apps/_server_app_OD_Servers/local/inputs.conf

 

reads:

  GNU nano 2.0.6 File: …ps/_server_app_OD_Servers/local/inputs.conf           

[script://$SPLUNK_HOME/etc/apps/_server_app_OD_Servers/bin/ScriptName_OD.sh]

disabled = 0

index = default

interval = 60.0

sourcetype = linux_messages_syslog

 

Trying this

sourcetype = oracle:audit:xml

or this

sourcetype = _json

Change/check the local inputs.conf files from the forwarder running on the Open Directory server.

sudo nano /Applications/SplunkForwarder/etc/system/local/inputs.conf

 

reads:

[monitor:///var/audit/]

[default]

host = ClientMachineHostName.local

Change/check the local output.conf files from the forwarder running on the Open Directory server.

[tcpout]

defaultGroup = default-autolb-group

[tcpout:default-autolb-group]

server = 10.1.2.3:9997

[tcpout-server://10.1.2.3:9997]

 

 

To search and find OD account creation success, I query from the json sourcetype

ODNodeCreateRecord request

—–

This records barbie account record getting created: dsAttrTypeStandard:RecordName\= (\n barbie\n

{ “category:session“, “processImageUUID:DB3-0037-332C-8D8E-8C7350E88A01“, “processUniqueID: 85, “threadID: 1383910, “timestamp:2019-09-22 06:24:07.668536-0400“, “traceID: 2065501346005252, “messageType:Info“, “activityID: 854237, “processID: 85, “machTimestamp: 394733628137612, “timezoneName: “”, “subsystem:com.apple.opendirectoryd“, “senderProgramCounter: 65579, “eventMessage:ODNodeCreateRecord request, NodeID: 0A1D-30AA-4FA7-B1C1-12E9F78DFF20, RecordType: dsRecTypeStandard:Users, RecordName: <private>, Attributes: {\n \dsAttrTypeStandard:Comment\= (\n );\n \dsAttrTypeStandard:EMailAddress\= (\n );\n \dsAttrTypeStandard:FirstName\= (\n );\n \dsAttrTypeStandard:HomeDirectory\= (\n );\n \dsAttrTypeStandard:HomeDirectoryQuota\= (\n 0\n );\n \dsAttrTypeStandard:Keywords\= (\n );\n \dsAttrTypeStandard:LastName\= (\n barbie\n );\n \dsAttrTypeStandard:NFSHomeDirectory\= (\n \\/Users\/barbie\\n );\n \dsAttrTypeStandard:PrimaryGroupID\= (\n 20\n );\n \dsAttrTypeStandard:RealName\= (\n barbie\n );\n \dsAttrTypeStandard:RecordName\= (\n barbie\n );\n \dsAttrTypeStandard:UniqueID\= (\n 1006\n );\n \dsAttrTypeStandard:UserShell\= (\n \\/bin\/bash\\n );\n}”, “senderImageUUID:D350A9B3-0037-332C-8D8E-8C7350E88A01“, “processImagePath:\/usr\/libexec\/opendirectoryd“, “senderImagePath:\/usr\/libexec\/opendirectoryd” }

____

Delete a record, “eventMessage:Delete a record“, “processImagePath:\/Applications\/Server.app\/Contents\/MacOS\/Server“,

{ “processImageUUID:388D1B12-E930-3D81-AB34-6EFAA44E12EF“, “processUniqueID: 28164, “threadID: 1386945, “timestamp:2019-09-22 06:32:34.581205-0400“, “traceID: 1181143700349387010, “eventType:OSActivityCreateEvent“, “activityID: 857809, “processID: 28164, “machTimestamp: 395240545174841, “timezoneName: “”, “senderProgramCounter: 56111, “eventMessage:Delete a record“, “senderImageUUID:29F55F7B-379F-3053-8FF3-5C6675A3DD4D“, “processImagePath:\/Applications\/Server.app\/Contents\/MacOS\/Server“, “senderImagePath:\/System\/Library\/Frameworks\/OpenDirectory.framework\/Versions\/A\/Frameworks\/CFOpenDirectory.framework\/Versions\/A\/CFOpenDirectory” }

 

 

Screen Shot 2019-09-22 at 6.28.36 AM