All Apps and Add-ons

Should I deploy Splunk TA for Windows to Universal Forwaders?

AHBrook
Path Finder

Hey all!

I've inherited a Splunk instance that has been running for about 8 years now. There are instances of Splunk_TA_windows all over it - most are 4.8.3, but a couple are 8.0.0 and 8.1.2. (The overall Splunk instance is running at 7.2 currently).

In the process of investigation, I have discovered that our Active Directory controllers had Universal Forwarders installed on them using the GUI installer. In the process, they were set to collect Windows event logs, but no other configuration was made. As a result, a ton of logging is flowing into our "main" index. In fact, the only thing in the "inputs.conf" file is the IP address of the host. Thanks to the help and pointers of many, I've determined that this is definitely "not good" and instead I should have some filters/blacklists in place.

I've gotten the controllers in question hooked up to our deployment server, so I want to push some apps to them via that.

My question is:

Should I deploy the entire Splunk_TA_windows app to the domain controllers? Or should I just push custom apps that contain the filtering/settings I want, and leave Splunk_TA_windows to the Heavy Forwarders, Indexers, and Search Heads we plan on using? Or should I do both?

I've consulted a few other resources, such as

Digging around, I'm seeing that some Windows logging is being put into the "ActiveDirectory" sourcetype already, but not from any configuration I can find applying to the system, so I assume it is just recognizing them as AD events.

My biggest concern is that I want to build a "baseline" that is easy to maintain going forward. I know from my Data Admin training that deployed add-ons are evaluated in reverse-lexicographical  order (IE "Splunk_TA_Windows" has lower priority than "institution_windows_core"), so I should be able to stack things... but again, I just want to make sure I'm following what people recommend.

( May also be using this forum as a "Rubber ducky" situation. 😄 )

Labels (2)
Tags (1)
0 Karma

gcusello
Esteemed Legend

Hi @AHBrook,

quickly answering to your question:

Should I deploy the entire Splunk_TA_windows app to the domain controllers? Or should I just push custom apps that contain the filtering/settings I want, and leave Splunk_TA_windows to the Heavy Forwarders, Indexers, and Search Heads we plan on using? Or should I do both?

I hint to always use the last released TA_Windows, disabling the inputs you don't need.

Anyway, if you have to customize inputs or only to enable some of them, always copy the inputs.conf in the local folder and modify this version, don't modify the default version because it will be overwritten at the first update.

If you have other additional different custom inputs, you can add them in the inputs.conf in local folder or in a custom TA, but in this TA don't put the inputs of the TA_Windows.

In general, I hint to review your installation and upgrade all Splunk instances and Apps and TAs.

In addition is a best practice to ha the same TA in all the deployed machines (with the only exclusion of very old and not supported with the last version systems), deploy it using the Deployment Server.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...