Hi at all,
I have to install the SA-LDAPSearch App on Splunk Cloud to query a Domain Controller.
I have in my infrastructure two Heavy Forwarders that concentrate logs from my target servers and send them to Splunk Cloud.
My problem is: SA-LDAPSearch App is usually installed on a Search Head, but To do this, in Splunk Cloud, I should open a port from Splunk Cloud to my Domain Controllers and I'd like to avoid this.
Is it possible to install it on my Heavy Forwarder or to use a different approach?
Thank you in advance.
Bye.
Giuseppe
As an alternative, you can utilize the MS Windows AD Objects app https://splunkbase.splunk.com/app/3177/
"This application also provides an efficient, alternative, option for looking up AD Object attributes instead of using the Support Add-On for Active Directory (ie remote LDAP Queries). Since the the Splunk for Windows Infrastructure and Splunk for Microsoft Exchange applications require the SA LDAPSearch add-on by default, the MS Windows AD Objects application provides the needed dashboard files to replace the ones provided within these applications."
As an alternative, you can utilize the MS Windows AD Objects app https://splunkbase.splunk.com/app/3177/
"This application also provides an efficient, alternative, option for looking up AD Object attributes instead of using the Support Add-On for Active Directory (ie remote LDAP Queries). Since the the Splunk for Windows Infrastructure and Splunk for Microsoft Exchange applications require the SA LDAPSearch add-on by default, the MS Windows AD Objects application provides the needed dashboard files to replace the ones provided within these applications."
Hello,
I have SA-LDAPsearch installed on my Heavy Forwarder. It then forwards all data to my Cloud Instance with Enterprise Security.
Will this work in order to get my assets and identities populated?
In Docs (https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.4/User/DeploytheSplunkSupportingAdd-onforAct...) I see that Heavy Forward is one option to install it, but respective table field is not checked.
Will Heavy Forwarder has to have the Search Head role enabled in order to query the Domain Controllers?
Thanks
Hi @b_chris21,
no, the Search Head Role is only for Splunk queries, LDAP Search is a connector to extract data from AD and take in Splunk.
Ciao.
Giuseppe
Hello Giuseppe,
thanks for your reply. So LDAPsearch is enough on my HF to connect to ADs and extract the info right?
Do you know if it periodically queries and extracts this info?
Many thanks.
BR
Chris
Hi @b_chris21,
yes, you can configure the frequency of querying.
It usually depends on many parameters: how frequently AD data are upgraded, how much license I accept to consume for this updates, how much I want to load the AD.
Ciao.
Giuseppe
Grazie mille Giuseppe
Thank you kmorris,
this helps me to have LDAP information in Splunk Cloud.
I'd like to understand why the App creators used lookups and eventtypes different than SA-LDAPSearch App, so I have to customize this app to adapt it to Splunk App for Windows Infrastructure !
Anyway.
Thank you again.
Bye.
Giuseppe