Hello, I'm setting up a splunk environment for the first time and wanted to use the Splunk App for Windows Infrastructure to monitor our Active Directory environment. I deployed Splunk enterprise 6.2 on a linux CentOS 6.5 server. I was looking at the http://docs.splunk.com/Documentation/Splunk/latest/Data/AuditActiveDirectory document and noticed:
"Monitor an Active Directory schema | * Splunk must run on Windows
To get the best results out of monitoring AD with Splunk Enterprise, be aware of the following:
This feature is only available with Splunk Enterprise on Windows. You won't be able to monitor AD changes from a *nix version of Splunk (though you can forward AD data gathered from a Windows version of Splunk to a *nix indexer)."
I currently have the Splunk Supporting Add-on for Active Directory connected to our Active Directory domain, and a splunkforwarder sending data from a domain controller. However, when I "detect" in the Windows Infrastructure App I receive "Not found" for Active Directory.
Any info will be helpful and thanks in advance!
running Splunk on Linux as an Indexer is no problem for this setup. Problems might occur within the Dashboard part of the App. Not sure if it relies on Windows Specific Informations/Connectivity.
2 Points come to my mind.
1. Forwarder should be a HeavyForwarder (Splunk Server not Universal Forwarder (gives all the functionality the Support Add might need)
2. Maybe a Windows Searchhead gives the missing Connectivity for the Dashboard part.
So it could look like this:
Windows DC (Heavy Forwarder) -> Splunk Indexer (Linux) -> Splunk Searchhead (Windows)
Thanks for the info msenebald. Just to make sure I understand correctly. I currently have a 6.2.0 Universal Forwarder on the Domain Controller, you're saying this may be the issue? I would need to deploy Splunk Enterprise on a Domain Controller and configure it to be a forwarder to my Splunk Indexer (linux)? I was hoping to have my Splunk Indexer and searchhead on the same (linux) server.
No, what he (or she - one must not assume) is saying is that wherever you are performing the search (be that on a dedicated search head or on the indexer) the dashboard it presents may require certain external bindings or facilities not compatible with Linux. (I cannot say whether this is right or wrong. We have been monitoring Windows hosts with Linux Splunk infrastructure since 2008, long before "Splunk App for Windows Infrastructure" even existed.)
Certainly the basic functions of consuming, indexing, and regurgitating Windows log data are all fundamentally simple. What the App requires to present its dashboard - well that's another matter.
In short: gathering the data is simple; how it is presented may not be.
Thanks again grijhwani. I appreciate the help. I'm trying to learn as much as possible on this, and want to have the most productive setup. Any helpful tips for monitoring Active Directory is greatly appreciated!
The simple answer to the headline question is "yes". The more comprehensive answer will have to wait until I can take a closer look at the deployment configs at work to give you some pointers. (I'm on the Linux and Splunk side of the equation, avoiding contact with Windows as far as humanly possible).
Great! I appreciate it grijhwani, I have not made any config changes after installing the Splunk App for Windows Infrastructure yet. I wanted to verify it would be possible, which I had a feeling it would. I will keep troubleshooting and see if I can get this to work.