All Apps and Add-ons

From Nothing to Active Directory

omatsei
Explorer

I've been fighting with the Active Directory app for 4 days now, and I'm becoming frustrated. I had it working, except for some really strange hostname issues, which I was unable to resolve. At this point, I have uninstalled every universal forwarder, and the central Splunk install completely. I have deleted every single reference of Splunk from every file or directory that I can find. Is there any documentation for how to install Splunk from scratch, then install the Active Directory app and have all the features work?

The existing documentation is vague and unhelpful in some rather important spots. For example, when editing the conf files, it says I should ensure the correct indexes are set. What are the correct indexes? If I'm installing directly out of the box, do I need to change ANY conf file at all? Isn't there a "from nothing to monitor AD" guide somewhere out there?

0 Karma
1 Solution

malmoore
Splunk Employee
Splunk Employee

Hi,

Firstly, we noted some areas in the Splunk App for Active Directory docs which might lead to confusion and are addressing those issues. If you wouldn't mind noting any other areas you found confusing, that would be great. We really do appreciate the feedback.

The upshot is, while the Splunk App for AD is a fairly complex application to install and configure, the only configuration file you need to edit in a standard Splunk App for Active Directory setup is ldap.conf, as described here.

The quickest procedure for a "Nothing to Active Directory" setup would be:

1. Prepare your AD for data collection, as described here.

2. Download and place in an accessible location:

  • full Splunk.
  • the Windows version of the Splunk universal forwarder.
  • the Splunk App for Active Directory.
  • the SA-ldapsearch supporting add-on.
  • the Splunk Technology Add-on for Windows.
  • Sideview Utils v1.3.2 or later.

3. Install full Splunk on a server. This server becomes your central Splunk instance.

4. Configure the instance to be a receiving indexer.

5. Install the universal forwarder onto a domain controller. During the installation process, configure the forwarder to send data to the receiving indexer.

6. Unpack the Splunk App for Active Directory installation package. Within it, you'll find the Splunk App for Active Directory TAs (in Splunk_for_ActiveDirectory\appserver\addons).

7. Move the appropriate TAs to %SPLUNK_HOME%\etc\apps on the domain controller, depending on which version of Windows it runs. You do not need to edit any configuration files.

8. Install the Splunk TA for Windows on the domain controller.

9. On the central Splunk instance, install:

  • the Splunk App for Active Directory.
  • the SA-ldapsearch supporting add-on.
  • the Splunk Technology Add-on for Windows.
  • Sideview Utils.

10. Edit ldap.conf in %SPLUNK_HOME%\etc\apps\SA-ldapsearch\local.

11. Restart all Splunk instances to ensure the changes take effect.

This should give you a minimal, running Splunk App for Active Directory deployment. Specific steps are covered in detail in "How to deploy the Splunk App for Active Directory". If you have additional domain controllers in your AD environment and want data from them, repeat Steps 5, 7, and 8.

Again, the Splunk App for Active Directory is a complex application to install, and requires an in-depth knowledge of both distributed Splunk and Active Directory. You might want to engage Professional Services for assistance if this procedure doesn't help. That said, we constantly review the documentation and thank you for assisting us in our efforts to improve it.

View solution in original post

malmoore
Splunk Employee
Splunk Employee

Hi,

Firstly, we noted some areas in the Splunk App for Active Directory docs which might lead to confusion and are addressing those issues. If you wouldn't mind noting any other areas you found confusing, that would be great. We really do appreciate the feedback.

The upshot is, while the Splunk App for AD is a fairly complex application to install and configure, the only configuration file you need to edit in a standard Splunk App for Active Directory setup is ldap.conf, as described here.

The quickest procedure for a "Nothing to Active Directory" setup would be:

1. Prepare your AD for data collection, as described here.

2. Download and place in an accessible location:

  • full Splunk.
  • the Windows version of the Splunk universal forwarder.
  • the Splunk App for Active Directory.
  • the SA-ldapsearch supporting add-on.
  • the Splunk Technology Add-on for Windows.
  • Sideview Utils v1.3.2 or later.

3. Install full Splunk on a server. This server becomes your central Splunk instance.

4. Configure the instance to be a receiving indexer.

5. Install the universal forwarder onto a domain controller. During the installation process, configure the forwarder to send data to the receiving indexer.

6. Unpack the Splunk App for Active Directory installation package. Within it, you'll find the Splunk App for Active Directory TAs (in Splunk_for_ActiveDirectory\appserver\addons).

7. Move the appropriate TAs to %SPLUNK_HOME%\etc\apps on the domain controller, depending on which version of Windows it runs. You do not need to edit any configuration files.

8. Install the Splunk TA for Windows on the domain controller.

9. On the central Splunk instance, install:

  • the Splunk App for Active Directory.
  • the SA-ldapsearch supporting add-on.
  • the Splunk Technology Add-on for Windows.
  • Sideview Utils.

10. Edit ldap.conf in %SPLUNK_HOME%\etc\apps\SA-ldapsearch\local.

11. Restart all Splunk instances to ensure the changes take effect.

This should give you a minimal, running Splunk App for Active Directory deployment. Specific steps are covered in detail in "How to deploy the Splunk App for Active Directory". If you have additional domain controllers in your AD environment and want data from them, repeat Steps 5, 7, and 8.

Again, the Splunk App for Active Directory is a complex application to install, and requires an in-depth knowledge of both distributed Splunk and Active Directory. You might want to engage Professional Services for assistance if this procedure doesn't help. That said, we constantly review the documentation and thank you for assisting us in our efforts to improve it.

View solution in original post

grouponjosh
Engager

This is WAY more helpful than the documentation. One question, when installing the universal forwarder does it have to be done in Remote mode like the documentation suggests or can you do local? If I do Remote, what permissions does my service account need? I don't want to make it a domain administrator but giving it log on as a service, bath job, as part of OS, etc as mentioned in the documentation doesn't seem to work. Thanks!

0 Karma

omatsei
Explorer

I followed all these instructions, and everything appears to work perfectly! Thank you!

0 Karma

malmoore
Splunk Employee
Splunk Employee

That is correct, %SPLUNK_HOME\etc\apps.

omatsei
Explorer

This is much better than anything else I've found on the subject thus far. For step 8, does that entail simply extracting the folder called "Splunk_TA_windows" into the %SPLUNK_HOME%\etc\apps folder, similar to step 7?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.