All Apps and Add-ons
Highlighted

How to configure a Splunk universal forwarder on Microsoft Active Directory servers to forward AD data to a Linux Splunk instance?

New Member

Hello

I am currently working on integrating Microsoft Active Directory servers with the Splunk Linux instance (Search and Indexer in one box).

The universal forwarder agent will be installed in AD servers to collect AD Data into Splunk.

I would like to understand below things:
1. Do you really need to create a separate user account with permission to local server admin group for forwarder installation? What is the security best practice approach here?
2. What is the real difference between Splunk Add-on for Windows and separate Splunk Add-on for Microsoft Active Directory?
3. Why can't you monitor AD schema changes if the Splunk Instance is in Linux? What is rationale here since AD changes will be collected in the form of machine data? I am not sure what AD schema monitoring mean here.

Thanks,
Ashish

0 Karma
Highlighted

Re: How to configure a Splunk universal forwarder on Microsoft Active Directory servers to forward AD data to a Linux Splunk instance?

Builder

Hi,

Follow some information that might help you:

Question 1.: For the UF installation you can choose the Local System account (information on app docs here: http://docs.splunk.com/Documentation/MSApp/1.3.0/MSInfra/InstallauniversalforwarderoneachWindowshost)

Question 2.: The Windows Addon will collect windows related information (EventLogs, Perfmon of host machine and others) while the MS AD Addon will collect domain data (using powershell queries on AD)

Question 3.: I'm not sure about this one but the app runs some queries on the AD and since your Linux is not powershell capable you cannot run those queries.

0 Karma