I am currently working on integrating Microsoft Active Directory servers with the Splunk Linux instance (Search and Indexer in one box).
The universal forwarder agent will be installed in AD servers to collect AD Data into Splunk.
I would like to understand below things:
1. Do you really need to create a separate user account with permission to local server admin group for forwarder installation? What is the security best practice approach here?
2. What is the real difference between Splunk Add-on for Windows and separate Splunk Add-on for Microsoft Active Directory?
3. Why can't you monitor AD schema changes if the Splunk Instance is in Linux? What is rationale here since AD changes will be collected in the form of machine data? I am not sure what AD schema monitoring mean here.