All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to configure Splunk Supporting Add-on for Active Directory on a single Splunk instance (running on Linux) for file upload?

splunklearner12
Path Finder
‎06-11-2019 08:59 AM

I want to examine a snippet of AD logs (i.e. no real-time data) for testing on a Linux single-instance.
I installed the Splunk App for Windows Infrastructure which then prompted me to also install the Splunk Add-on for Microsoft Windows and Splunk Supporting Add-on for Microsoft Active Directory. Now to configure the AD Add-on, I need to fill in the below form:
alt text
I looked at this page: https://docs.splunk.com/Documentation/SA-LdapSearch/2.2.1/User/ConfiguretheSplunkSupportingAdd-onfor...
My understanding is that splunk would try to directly connect to the domain to monitor its AD data. But, I am provided with a snippet file of AD logs and should not monitor live data. How do I go about configuring the add-on/uploading the file in a readable format?

Preview file
40 KB
0 Karma
Reply

splunklearner12
Path Finder
‎06-18-2019 02:02 AM

If you can't connect to AD from the test server, using something like Logparser to convert to csv should do the trick.

0 Karma
Reply

DavidHourani
Super Champion
‎06-11-2019 09:09 AM

Hi @splunklearner1234,

The "Splunk Supporting Add-on for Microsoft Active Directory" allows you to fetch the AD objects such as users, assets, groups, etc... This is not for fetching AD logs, This is especially useful if you want to keep track of the AD tree since you'll be able to grab a daily snapshot and be able to compare and find out what has changed.

If you're looking for the TA to collect AD logs then you should be installing this on a UF on your AD server :
https://splunkbase.splunk.com/app/3207/

Let me know if you need more details.

Cheers,
David

0 Karma
Reply

splunklearner12
Path Finder
‎06-12-2019 01:22 AM

Hi David,
I am only working on a test server, with a snippet of existing log files which won't be updated for this purpose.
For this I will not be installing anything on the AD server itself, but I will be sent a file to use.

0 Karma
Reply

DavidHourani
Super Champion
‎06-18-2019 01:57 AM

In that case for fetching the list of users, groups, etc.. "Splunk Supporting Add-on for Microsoft Active Directory" should do the trick, still have to connect from your test server to AD to get the tree, nothing to be installed on the AD server though. Hope this helps, and let us know what progress you've made.

0 Karma
Reply

splunklearner12
Path Finder
‎06-18-2019 02:00 AM

I ended up using Microsoft Logparser to convert the files to csv before uploading, because there was no possibility to connect to AD from the test Splunk server. That seemed to work well without data loss.

0 Karma
Reply

DavidHourani
Super Champion
‎06-18-2019 02:03 AM

Great to hear that 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...