I am configuring splunk to monitor AD but I am not able to ping AD server from Splunk. How do I accomplish it. Actually I want to configure Splunk support Add on for Active Directory but not able to do so because my splunk is on AWS and AD is on prem.
How do I do it?
Hi @Amandeepsin,
why do you want to ping DC?
you need only to have on the DCs a Universal Forwarder and all the Technical Add-ons (TAs) required by the app you want (the TAs you listed in the question).
Then the UFs send their logs to Splunk Clud, usually passing through an Heavy Forwarder (to avoid to open too many routes on firewall).
You can configure the TAs in two ways:
In the first case, you have to manually add and configure TAs on each server to monitor.
In the second case, you have to follow the procedure to manage UFs using a Deployment Server ( https://docs.splunk.com/Documentation/Splunk/8.0.2/Updating/Aboutdeploymentserver ).
The Deployment Server must be a dedicated server if it has to manage more than 50 clients, otherwise it can stay on a server with also other roles.
To complete the answer, I hint to re-design your architecture because usually using Splunk Cloud it's better to use two Heavy Forwarders as log concentrators to avoid Single Points of Failue.
Ciao.
Giuseppe
Hi,
I am using Splunk Enterprise and we want to monitor AD. For that I am using Windows infra App. This app requires one Add on i.e. Splunk Supporting Add on for AD and while doing configurations I need to provide Hostname and credentials ( Hostname of LDAP Server which is DC in my case ). How do I make connection with this DC? Installing Splunk Forwarder will make connection from DC to Splunk not vice Versa but I am not completely sure. Because Splunk talks over internet and outgoing ports are open in our DC but not incoming..
Not sure if authentication is done over SSL.. If yes, then how?
You install the Splunk Universal Forwarder on the DC and it will perform a PUSH to the Splunk environment.
Assuming the appropriate ports are open on your AWS instance.
Universal Forwarder:
https://www.splunk.com/en_us/download/universal-forwarder.html
Required Ports:
https://answers.splunk.com/answers/58888/what-are-the-ports-that-i-need-to-open.html
Additionally, you will need the appropriate Technology Add-On to properly ingest the AD/Windows data:
https://docs.splunk.com/Documentation/MSApp/2.0.0/MSInfra/AbouttheSplunkAppforMSInfrastructure