https://community.splunk.com/t5/Getting-Data-In/Why-should-I-install-Splunk-on-Domain-Controllers/m-p/235131#M45792 <P>Your security concerns are well-founded. An attacker on your SDCs might go unnoticed without Splunk logging.</P> Wed, 11 Jan 2017 14:57:50 GMT richgalloway 2017-01-11T14:57:50Z https://community.splunk.com/t5/Getting-Data-In/Why-should-I-install-Splunk-on-Domain-Controllers/m-p/235128#M45789 <P>Currently debating installing Splunk on all Domain Controllers. Have a back and forth with my colleagues and security team as to if there is a real need for Splunk to be on all DC's. Currently using Splunk 6.5.1 on 6 DC's within 2 sites out of 11 DC's within 4 sites.</P> <P>Debate is that it should only be installed on the PDC, however others say it should be installed on all. Any suggestions greatly appreciated. </P> Tue, 10 Jan 2017 21:20:33 GMT https://community.splunk.com/t5/Getting-Data-In/Why-should-I-install-Splunk-on-Domain-Controllers/m-p/235128#M45789 medma1934 2017-01-10T21:20:33Z https://community.splunk.com/t5/Getting-Data-In/Why-should-I-install-Splunk-on-Domain-Controllers/m-p/235129#M45790 <P>I hope you mean you install Splunk Universal Forwarders (SUF) on your DCs rather than Splunk Core.</P> <P>I think the decision comes down to what behavior you want when a DC not logging to Splunk becomes primary. When a secondary DC takes over as primary, it should would be nice to have that event logged in Splunk, which probably won't happen if not all DCs run SUF. Also, whatever dashboards or alerts you have will continue to function uninterrupted if the new PDC is already logging to Splunk.</P> Tue, 10 Jan 2017 22:27:50 GMT https://community.splunk.com/t5/Getting-Data-In/Why-should-I-install-Splunk-on-Domain-Controllers/m-p/235129#M45790 richgalloway 2017-01-10T22:27:50Z https://community.splunk.com/t5/Getting-Data-In/Why-should-I-install-Splunk-on-Domain-Controllers/m-p/235130#M45791 <P>Thanks, Splunk agent is the only thing running on a few Domain Controllers. Ultimately would like to put on all remaining DC but the pushback from the team is why? The team thinks that running splunk agent on the PDC is enough. Other than the reason of what if you move PDC to another it will log uninterrupted, i find myself having a hard time justifying why Splunk agent should be on all.</P> <P>As i understand, Most events are replicated across all Domain Controllers for Authentication purposes of a domain but security events as i understand dont. I am in favor of adding Splunk agent more so because of security events in this day and age.</P> <P>Appreciate your info.</P> <P>Thanks</P> Wed, 11 Jan 2017 14:36:40 GMT https://community.splunk.com/t5/Getting-Data-In/Why-should-I-install-Splunk-on-Domain-Controllers/m-p/235130#M45791 medma1934 2017-01-11T14:36:40Z https://community.splunk.com/t5/Getting-Data-In/Why-should-I-install-Splunk-on-Domain-Controllers/m-p/235131#M45792 <P>Your security concerns are well-founded. An attacker on your SDCs might go unnoticed without Splunk logging.</P> Wed, 11 Jan 2017 14:57:50 GMT https://community.splunk.com/t5/Getting-Data-In/Why-should-I-install-Splunk-on-Domain-Controllers/m-p/235131#M45792 richgalloway 2017-01-11T14:57:50Z https://community.splunk.com/t5/Getting-Data-In/Why-should-I-install-Splunk-on-Domain-Controllers/m-p/235132#M45793 <P>Thanks. on to battle.</P> <P>Appreciate the feed back.</P> <P>-Mike</P> Wed, 11 Jan 2017 16:56:43 GMT https://community.splunk.com/t5/Getting-Data-In/Why-should-I-install-Splunk-on-Domain-Controllers/m-p/235132#M45793 medma1934 2017-01-11T16:56:43Z