https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-Active-Directory-using-Splunk-Enterprise-Single/m-p/422715#M5877 <P>Hi Adonio, thanks for responding. I checked those links and it seems like we can get basic stats such as performance counters from CPU, Memory , registry monitoring etc on whichever Windows system we configure the forwarder on. </P> <P>Typically from Active Dir monitoring point of view, one would be more interested in watching for changes such user addition / deletion, group addition/deletion/modification , group policy changes..and so on. Do you have any references to point me to how to configure the TA Windows &amp; [admon] input to log these type of changes ?</P> <P>Appreciate your help.</P> Fri, 06 Jul 2018 17:12:08 GMT neerajshah81 2018-07-06T17:12:08Z https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-Active-Directory-using-Splunk-Enterprise-Single/m-p/422713#M5875 <P>Hello All, We have a single instance Splunk enterprise (version 7.1) deployment on Linux which is doing everything . We would like to monitor our AD using SPLUNK. I am confused by reading <A href="http://docs.splunk.com/Documentation/Splunk/7.1.1/Data/MonitorActiveDirectory">http://docs.splunk.com/Documentation/Splunk/7.1.1/Data/MonitorActiveDirectory</A> , does it mean that for this to work Splunk instance needs to installed be on Windows ? How do customers which have Splunk installed on Linux monitor AD then ?</P> Fri, 06 Jul 2018 16:21:46 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-Active-Directory-using-Splunk-Enterprise-Single/m-p/422713#M5875 neerajshah81 2018-07-06T16:21:46Z https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-Active-Directory-using-Splunk-Enterprise-Single/m-p/422714#M5876 <P>i think that the easiest way will be to install a forwarder on the AD server, have the TA windows installed on the forwarder and enable the <CODE>[admon]</CODE> input<BR /> read more here:<BR /> <A href="https://splunkbase.splunk.com/app/742/#/details">https://splunkbase.splunk.com/app/742/#/details</A><BR /> <A href="http://docs.splunk.com/Documentation/WindowsAddOn/5.0.0/User/Configuration">http://docs.splunk.com/Documentation/WindowsAddOn/5.0.0/User/Configuration</A><BR /> i guess in the documents, you can refer to a Universal Forwarder as well<BR /> you will also need the windows TA on your Splunk indexer (linux machine)</P> <P>hope it helps</P> Fri, 06 Jul 2018 16:45:54 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-Active-Directory-using-Splunk-Enterprise-Single/m-p/422714#M5876 adonio 2018-07-06T16:45:54Z https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-Active-Directory-using-Splunk-Enterprise-Single/m-p/422715#M5877 <P>Hi Adonio, thanks for responding. I checked those links and it seems like we can get basic stats such as performance counters from CPU, Memory , registry monitoring etc on whichever Windows system we configure the forwarder on. </P> <P>Typically from Active Dir monitoring point of view, one would be more interested in watching for changes such user addition / deletion, group addition/deletion/modification , group policy changes..and so on. Do you have any references to point me to how to configure the TA Windows &amp; [admon] input to log these type of changes ?</P> <P>Appreciate your help.</P> Fri, 06 Jul 2018 17:12:08 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-Active-Directory-using-Splunk-Enterprise-Single/m-p/422715#M5877 neerajshah81 2018-07-06T17:12:08Z https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-Active-Directory-using-Splunk-Enterprise-Single/m-p/422716#M5878 <P>Adonio, one more question. I was referring to your other posts on this forum in helping users with the same concerns. What is the difference between ( <A href="https://splunkbase.splunk.com/app/742/#/details">https://splunkbase.splunk.com/app/742/#/details</A> ) and ( <A href="https://splunkbase.splunk.com/app/1680/">https://splunkbase.splunk.com/app/1680/</A>) and which of the two one would you recommend for monitoring AD ?</P> <P>Thanks in advance</P> Fri, 06 Jul 2018 17:32:49 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-Active-Directory-using-Splunk-Enterprise-Single/m-p/422716#M5878 neerajshah81 2018-07-06T17:32:49Z https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-Active-Directory-using-Splunk-Enterprise-Single/m-p/422717#M5879 <P>the adding and deleting users as well as other relevant events are being collected by the security event logs.<BR /> you will want to enable that input on your AD/DC forwarder</P> Sun, 08 Jul 2018 09:48:51 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-Active-Directory-using-Splunk-Enterprise-Single/m-p/422717#M5879 adonio 2018-07-08T09:48:51Z https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-Active-Directory-using-Splunk-Enterprise-Single/m-p/422718#M5880 <P>the first one is a TA and the second one is an app with views and dashboards etc.<BR /> will recommend to read here about different kind of apps:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Whatsanapp">https://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Whatsanapp</A></P> Sun, 08 Jul 2018 09:51:21 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitoring-Active-Directory-using-Splunk-Enterprise-Single/m-p/422718#M5880 adonio 2018-07-08T09:51:21Z