How to configure a Splunk universal forwarder on M...

ashishgangar · ‎08-05-2016

Hello

I am currently working on integrating Microsoft Active Directory servers with the Splunk Linux instance (Search and Indexer in one box).

The universal forwarder agent will be installed in AD servers to collect AD Data into Splunk.

I would like to understand below things:
1. Do you really need to create a separate user account with permission to local server admin group for forwarder installation? What is the security best practice approach here?
2. What is the real difference between Splunk Add-on for Windows and separate Splunk Add-on for Microsoft Active Directory?
3. Why can't you monitor AD schema changes if the Splunk Instance is in Linux? What is rationale here since AD changes will be collected in the form of machine data? I am not sure what AD schema monitoring mean here.

Thanks,
Ashish

gfreitas · ‎08-05-2016

Hi,

Follow some information that might help you:

Question 1.: For the UF installation you can choose the Local System account (information on app docs here: http://docs.splunk.com/Documentation/MSApp/1.3.0/MSInfra/InstallauniversalforwarderoneachWindowshost)

Question 2.: The Windows Addon will collect windows related information (EventLogs, Perfmon of host machine and others) while the MS AD Addon will collect domain data (using powershell queries on AD)

Question 3.: I'm not sure about this one but the app runs some queries on the AD and since your Linux is not powershell capable you cannot run those queries.

How to configure a Splunk universal forwarder on Microsoft Active Directory servers to forward AD data to a Linux Splunk instance?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes