All Apps and Add-ons

How to install SA_LDAPSearch on Splunk Cloud

gcusello
Legend

Hi at all,
I have to install the SA-LDAPSearch App on Splunk Cloud to query a Domain Controller.
I have in my infrastructure two Heavy Forwarders that concentrate logs from my target servers and send them to Splunk Cloud.
My problem is: SA-LDAPSearch App is usually installed on a Search Head, but To do this, in Splunk Cloud, I should open a port from Splunk Cloud to my Domain Controllers and I'd like to avoid this.
Is it possible to install it on my Heavy Forwarder or to use a different approach?

Thank you in advance.

Bye.
Giuseppe

1 Solution

kmorris_splunk
Splunk Employee
Splunk Employee

As an alternative, you can utilize the MS Windows AD Objects app https://splunkbase.splunk.com/app/3177/

"This application also provides an efficient, alternative, option for looking up AD Object attributes instead of using the Support Add-On for Active Directory (ie remote LDAP Queries). Since the the Splunk for Windows Infrastructure and Splunk for Microsoft Exchange applications require the SA LDAPSearch add-on by default, the MS Windows AD Objects application provides the needed dashboard files to replace the ones provided within these applications."

View solution in original post

kmorris_splunk
Splunk Employee
Splunk Employee

As an alternative, you can utilize the MS Windows AD Objects app https://splunkbase.splunk.com/app/3177/

"This application also provides an efficient, alternative, option for looking up AD Object attributes instead of using the Support Add-On for Active Directory (ie remote LDAP Queries). Since the the Splunk for Windows Infrastructure and Splunk for Microsoft Exchange applications require the SA LDAPSearch add-on by default, the MS Windows AD Objects application provides the needed dashboard files to replace the ones provided within these applications."

b_chris21
Communicator

Hello,

I have SA-LDAPsearch installed on my Heavy Forwarder. It then forwards all data to my Cloud Instance with Enterprise Security.

Will this work in order to get my assets and identities populated?

In Docs (https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.4/User/DeploytheSplunkSupportingAdd-onforAct...) I see that Heavy Forward is one option to install it, but respective table field is not checked.

Will Heavy Forwarder has to have the Search Head role enabled in order to query the Domain Controllers?

Thanks

Tags (1)
0 Karma

gcusello
Legend

Hi @b_chris21,

no, the Search Head Role is only for Splunk queries, LDAP Search is a connector to extract data from AD and take in Splunk.

Ciao.

Giuseppe

b_chris21
Communicator

Hello Giuseppe,

thanks for your reply. So LDAPsearch is enough on my HF to connect to ADs and extract the info right?

Do you know if it periodically queries and extracts this info?

Many thanks.

BR

Chris

0 Karma

gcusello
Legend

Hi @b_chris21,

yes, you can configure the frequency of querying.

It usually depends on many parameters: how frequently AD data are upgraded, how much license I accept to  consume for this updates, how much I want to load the AD.

Ciao.

Giuseppe

b_chris21
Communicator

Grazie mille Giuseppe

0 Karma

gcusello
Legend

Thank you kmorris,
this helps me to have LDAP information in Splunk Cloud.
I'd like to understand why the App creators used lookups and eventtypes different than SA-LDAPSearch App, so I have to customize this app to adapt it to Splunk App for Windows Infrastructure !
Anyway.
Thank you again.
Bye.
Giuseppe

Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...