Splunk Add-on for Microsoft Active Directory vs Sp...

damode · ‎01-23-2020

I have Splunk Supporting Add-on for Active Directory 2.1.4 already installed.

I noticed with Splunk Add-on for Microsoft Windows 6.0.0, it also includes Splunk Add-on for Windows Active Directory version 1.0.0 and DNS add-on.

are both add-ons required at the same or should I uninstall Splunk Supporting Add-on for Active Directory 2.1.4 ?

richardphung · ‎01-24-2020

From what I can tell, the Splunk Add-on for Microsoft Windows 6.0.0 (which includes Windows Active Directory 1.0.0) do different things than the Splunk Supporting Add-on for AD (2.1.4)...

The Splunk Add-On for Microsoft Windows 6.0.0 is a TA, which offers indexing and extraction of Microsoft Windows Event Logs (and now AD Logs via WinEventMon:\Security- type stanzas)...

The Supporting Add-On is an SA--- which offers some functionality, particularly, SA-LDAPSearch..., which includes things like ldapfilter, ldapfetch, etc.

https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.0/User/AbouttheSplunkSupportingAdd-onforActi...

richardphung · ‎01-24-2020

And also, the Supporting Add-On for AD can technically do any LDAP search, doesn't necessarily have to be AD.

You just need a server and bind credentials, certificate, etc.

damode · ‎01-28-2020

ok so basically, I should keep the SA-LDAP add-on as it is and upgrade to latest windows add-on.
Thanks for clarification.

Splunk Add-on for Microsoft Active Directory vs Splunk Supporting Add-on for Active Directory ? Whats the difference ?

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!