All Apps and Add-ons

Should I deploy Splunk TA for Windows to Universal Forwaders?

AHBrook
Path Finder

Hey all!

I've inherited a Splunk instance that has been running for about 8 years now. There are instances of Splunk_TA_windows all over it - most are 4.8.3, but a couple are 8.0.0 and 8.1.2. (The overall Splunk instance is running at 7.2 currently).

In the process of investigation, I have discovered that our Active Directory controllers had Universal Forwarders installed on them using the GUI installer. In the process, they were set to collect Windows event logs, but no other configuration was made. As a result, a ton of logging is flowing into our "main" index. In fact, the only thing in the "inputs.conf" file is the IP address of the host. Thanks to the help and pointers of many, I've determined that this is definitely "not good" and instead I should have some filters/blacklists in place.

I've gotten the controllers in question hooked up to our deployment server, so I want to push some apps to them via that.

My question is:

Should I deploy the entire Splunk_TA_windows app to the domain controllers? Or should I just push custom apps that contain the filtering/settings I want, and leave Splunk_TA_windows to the Heavy Forwarders, Indexers, and Search Heads we plan on using? Or should I do both?

I've consulted a few other resources, such as

Digging around, I'm seeing that some Windows logging is being put into the "ActiveDirectory" sourcetype already, but not from any configuration I can find applying to the system, so I assume it is just recognizing them as AD events.

My biggest concern is that I want to build a "baseline" that is easy to maintain going forward. I know from my Data Admin training that deployed add-ons are evaluated in reverse-lexicographical  order (IE "Splunk_TA_Windows" has lower priority than "institution_windows_core"), so I should be able to stack things... but again, I just want to make sure I'm following what people recommend.

( May also be using this forum as a "Rubber ducky" situation. 😄 )

Labels (2)
Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @AHBrook,

quickly answering to your question:

Should I deploy the entire Splunk_TA_windows app to the domain controllers? Or should I just push custom apps that contain the filtering/settings I want, and leave Splunk_TA_windows to the Heavy Forwarders, Indexers, and Search Heads we plan on using? Or should I do both?

I hint to always use the last released TA_Windows, disabling the inputs you don't need.

Anyway, if you have to customize inputs or only to enable some of them, always copy the inputs.conf in the local folder and modify this version, don't modify the default version because it will be overwritten at the first update.

If you have other additional different custom inputs, you can add them in the inputs.conf in local folder or in a custom TA, but in this TA don't put the inputs of the TA_Windows.

In general, I hint to review your installation and upgrade all Splunk instances and Apps and TAs.

In addition is a best practice to ha the same TA in all the deployed machines (with the only exclusion of very old and not supported with the last version systems), deploy it using the Deployment Server.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...