Optional stepsIf you happen to have either Microsoft Active Directory or LDAP configured in your environment for user/group management, you can have the Splunk use that AD/LDAP information to populate the Cisco CDR Reporting and Analytics groups and keep them updated. Enabling Groups lookups to use Active Directory (Optional)Enabling AD integration will allow your groups to reflect your AD structure, making many reports more intuitive and easier to read. This will also work for any other LDAP-based source. Note that a large portion of these instructions are using the core Splunk product and not using the CDR App specifically. As such, additional help with and documentation for the Splunk Supporting Add-on for Active Directory and lookups can found in Splunk’s documentation. Determine the logical Mapping of LDAP/AD fields to CDR fieldsThe CDR app’s “Groups” should have at a minimum the number, name and group fields. A subgroup field is optional and won’t be included in this example. Active Directory already has fields that would normally match up with the fields needed for the CDR app;
This is only one example, though it is a very common one. Your own mapping of CDR app groups to Active Directory fields may differ. For instance, your environment may be better suited to using the Location field in AD to populate group. Now that we’ve determined which Active Directory fields need to be mapped into the CDR App’s groups fields, we need to enable a mechanism to retrieve that information from AD into Splunk. This will be done with the Splunk Supporting Add-on for Active Directory. Step 1: Install and Configure the Splunk Supporting Add-on for Active DirectoryThe Splunk Supporting Add-on for Active Directory is also known as SA-ldapsearch.
You should have a working installation of this app when finished. Step 2: Create the search to retrieve records.The following LDAP search should retrieve all users that are included in the Base DN you included in your LDAP setup. | ldapsearch search="(&(objectClass=user) (!(objectClass=computer)))" | search userAccountControl="NORMAL_ACCOUNT" | table telephoneNumber, displayName, department | rename telephoneNumber AS number, displayName AS name, department AS group The first line ( | ldapsearch… ) is the base LDAP search. It uses its own non-obvious syntax, but it’s likely you won’t need to change this line because as it is it will include all AD user objects and exclude computer objects. The second line ( search userAccountControl=… ) searches for only those accounts that are “regular” users. This is difficult to do in the base search because userAccountControl is a multivalued field so we do it in this way – Splunk has no issues at all with searching multivalued fields. The third ( | table … ) and fourth ( | rename … ) lines make the output into the right format and match up the AD field names with the CDR field names. Confirm that search works in a new Search window in the Splunk Support Add-on for Active Directory. Note it may take a few seconds or even minutes for results to come back. Be patient! We are going to schedule the update so it won’t matter a lot if it takes a few minutes to run. Step 3: Create the outputlookupNow that we have a search that returns the data we need to enable AD groups to be used in the CDR App, we need to use that search to create the lookup file we need. Modify the search above (or your version of it) and add to the end of it ... | outputlookup groups Like so: | ldapsearch search="(&(objectClass=user) (!(objectClass=computer)))" | search userAccountControl="NORMAL_ACCOUNT" | table telephoneNumber, displayName, department | rename telephoneNumber AS number, displayName AS name, department AS group | outputlookup groups Run that search once manually to populate the lookup the first time. Note that the outputlookup command is somewhat invisible – the search results you’ll see in Splunk will look just like the results you get if you didn’t have the outputlookup command in it. This is normal and expected. Step 4: Schedule the searchSave that search by clicking Save As then Report. Name it <Your Company Name>_AD_Lookups_for_CDR. You do not need to have it include a timerange picker. In the Report has been created dialog, click Schedule. Set the options appropriately for your environment (perhaps daily at 2:00 AM with a scheduling window of an hour to let Splunk move the exact timing a bit if it needs to). Step 5: TestIn the CDR App, click Setup then Define groups (optional). Click the tab for Edit/Delete Extensions/Groups. It should mirror the list from the search we created. If it returns an appropriate list, we are done. TroubleshootingIf you do not get a list of groups when you click Setup, Define groups (optional) then Edit/Delete Extensions/Groups, then there is a problem in the lookup. Your first step should be to carefully review the steps to create the lookup. Note especially the following things:
You can also confirm that the lookup is populated with this command: | inputlookup groups If all steps appear correct but you still get no data and the above inputlookup doesn’t display anything either, then you might want to confirm permissions on the lookup itself. The following outlines how to check and set those.
If you have any comments at all about the documentation, please send it in to docs@sideviewapps.com. |