- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Can you Monitor Active Directory with Splunk E...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you Monitor Active Directory with Splunk Enterprise running on Linux?
Hello, I'm setting up a splunk environment for the first time and wanted to use the Splunk App for Windows Infrastructure to monitor our Active Directory environment. I deployed Splunk enterprise 6.2 on a linux CentOS 6.5 server. I was looking at the http://docs.splunk.com/Documentation/Splunk/latest/Data/AuditActiveDirectory document and noticed:
"Monitor an Active Directory schema | * Splunk must run on Windows
To get the best results out of monitoring AD with Splunk Enterprise, be aware of the following:
This feature is only available with Splunk Enterprise on Windows. You won't be able to monitor AD changes from a *nix version of Splunk (though you can forward AD data gathered from a Windows version of Splunk to a *nix indexer)."
I currently have the Splunk Supporting Add-on for Active Directory connected to our Active Directory domain, and a splunkforwarder sending data from a domain controller. However, when I "detect" in the Windows Infrastructure App I receive "Not found" for Active Directory.
Any info will be helpful and thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tjjones0363, did you have the solution for this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
running Splunk on Linux as an Indexer is no problem for this setup. Problems might occur within the Dashboard part of the App. Not sure if it relies on Windows Specific Informations/Connectivity.
2 Points come to my mind.
1. Forwarder should be a HeavyForwarder (Splunk Server not Universal Forwarder (gives all the functionality the Support Add might need)
2. Maybe a Windows Searchhead gives the missing Connectivity for the Dashboard part.
So it could look like this:
Windows DC (Heavy Forwarder) -> Splunk Indexer (Linux) -> Splunk Searchhead (Windows)
BR Martin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the info msenebald. Just to make sure I understand correctly. I currently have a 6.2.0 Universal Forwarder on the Domain Controller, you're saying this may be the issue? I would need to deploy Splunk Enterprise on a Domain Controller and configure it to be a forwarder to my Splunk Indexer (linux)? I was hoping to have my Splunk Indexer and searchhead on the same (linux) server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, what he (or she - one must not assume) is saying is that wherever you are performing the search (be that on a dedicated search head or on the indexer) the dashboard it presents may require certain external bindings or facilities not compatible with Linux. (I cannot say whether this is right or wrong. We have been monitoring Windows hosts with Linux Splunk infrastructure since 2008, long before "Splunk App for Windows Infrastructure" even existed.)
Certainly the basic functions of consuming, indexing, and regurgitating Windows log data are all fundamentally simple. What the App requires to present its dashboard - well that's another matter.
In short: gathering the data is simple; how it is presented may not be.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks again grijhwani. I appreciate the help. I'm trying to learn as much as possible on this, and want to have the most productive setup. Any helpful tips for monitoring Active Directory is greatly appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The simple answer to the headline question is "yes". The more comprehensive answer will have to wait until I can take a closer look at the deployment configs at work to give you some pointers. (I'm on the Linux and Splunk side of the equation, avoiding contact with Windows as far as humanly possible).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great! I appreciate it grijhwani, I have not made any config changes after installing the Splunk App for Windows Infrastructure yet. I wanted to verify it would be possible, which I had a feeling it would. I will keep troubleshooting and see if I can get this to work.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
