Sorry if my questions sounds silly but this is my first Splunk deployment plus I am not even familiar working with AD and Exchange.
I had to configure Splunk to collect Active Directory and Microsoft Exchange logs.
For AD, I configured Splunk app for Windows Infrastructure and for Exch, I configured Splunk App for Microsoft Exchange. Later, I found out that Exchange app also provides A.D data but not sure too how much extent.
So my question is, whether Exchange app can also be used for AD logs or Windows Infra app is also required for AD logs ?
The only difference I found from the main dashboards of both apps, in terms of AD data, is Exchange has "User" & "Computer" info and Win Infra App has "DNS"
If you have Splunk for Microft Exchange you already have Splunk for Windows Infrastructure App.
The second one is a subset of the first: the first is a premium App the second one is a free App; both these apps are on Splunk assistance.
Thank you very much for your prompt response and clarifying the info.
All the dashboards of Windows Infrastructure app is included in the Exchange app, hence you can use the Splunk App for Microsoft Exchange app for monitoring Exchange data, Windows data and AD data as well.
If you have setup the Exchange app correctly then you don't need the Windows Infra app. It is also recommended that you don't install both the apps on the same searchhead. Please refer the below link for more details.
As far as the dashboards are concerns, Exchange app also has the "DNS" dashboard. It's just that while running the guided setup it might not have selected the DNS dashboard automatically and hence the DNS dashboard is hidden.
You can follow the below steps to display DNS (or any for that matter) dashboard in the Exchange app.
-- Go to the Exchange app
-- Click on Tools and Settings -> Customize Features
-- Select the checkbox against "DNS" (or you can select all) and click on Save features
-- It will enable the DNS dashboard in the Exchange app under Active Directory menu
You can also refer the below doc for the more information:
I hope it has answered all your queries. Let me know if you need any more information on this.
Thanks alot for clarifying that and for such a valuable info.
I have removed the Win Infra app.
My other queries are,
whether installing Splunk add-on for windows and windows DNS mandatory if I am not interested to capture Windows and DNS data ?
In exchange app docs, Splunk recommends installing Splunk Add-on for Microsoft Active Directory only on U.F, however , in Win Infra app, it says to install on S.H, Indexer and U.F. Would it affect exchange app in anyway ?
Yes, you need to install Splunk add-on for windows, windows DNS and windows AD on SH and IDX since these add-ons contains the search time and index time knowledge objects definitions which are used in the Exchange app. If you won't install these add-ons on SH or IDX then you will have warnings on your SH dashboards/panels that some of the eventtypes are missing/disabled/not found cause they are defined in the add-ons.
You need to install these addons on UF if you want to get the data specific to the windows, windows DNS, windows AD.
The exchange app document might not be fully updated.
Thanks for clarifying that. That documentation really needs to be up-to-date.
Another follow up qn is, since this add-on needs to be installed on both S.H and Indexer and its configuration instructions says, "it immediately begins collecting data", The A.D overview dashboard shows my Indexer as one of the Domain Controllers under "topology report". Is there a way to make it disappear ?
By default, the inputs of these add-ons (windows DNS and windows AD) are enabled and hence when you install these addons on your SH/IDX, it starts collecting the data.
You can disable all the inputs of these addons (Windows DNS and Windows AD) from your Indexer and SH. You can do so by following below steps
1) Create a local folder in SplunkTAmicrosoftad and SplunkTAmicrosoftdns
2) Copy the inputs.conf from default folder to local folder
3) Add "disabled = 1" for all the input stanzas which would disable the inputs from your indexers and SH
4) Restart the Splunk on SH and Indexers
Above steps would stop the data collection from the indexers and SH. So after some time your Indexers should disappear from the topology reports dashboard Or another quicker way to disappear the data is cleaning the already indexed data.
Thanks for that. I applied those settings, however, there is still huge amount of data getting generated from Indexer despite having disabled. Its mainly WinNetMon and WinHostMon sourcetype.
I have already ran .\splunk cmd btool inputs list --debug | findstr "type"for both types and found that WinHostMon comes from TA-Exchange-Mailbox and WinNetMon from TA-Windows. I have already disabled these, but still unable to stop the data.
Can you please help?