All Apps and Add-ons

Splunk Add-on for Microsoft Active Directory vs Splunk Supporting Add-on for Active Directory ? Whats the difference ?

Builder

I have Splunk Supporting Add-on for Active Directory 2.1.4 already installed.

I noticed with Splunk Add-on for Microsoft Windows 6.0.0, it also includes Splunk Add-on for Windows Active Directory version 1.0.0 and DNS add-on.

are both add-ons required at the same or should I uninstall Splunk Supporting Add-on for Active Directory 2.1.4 ?

Communicator

From what I can tell, the Splunk Add-on for Microsoft Windows 6.0.0 (which includes Windows Active Directory 1.0.0) do different things than the Splunk Supporting Add-on for AD (2.1.4)...

The Splunk Add-On for Microsoft Windows 6.0.0 is a TA, which offers indexing and extraction of Microsoft Windows Event Logs (and now AD Logs via WinEventMon:\Security- type stanzas)...

The Supporting Add-On is an SA--- which offers some functionality, particularly, SA-LDAPSearch..., which includes things like ldapfilter, ldapfetch, etc.

https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.0/User/AbouttheSplunkSupportingAdd-onforActi...

0 Karma

Communicator

And also, the Supporting Add-On for AD can technically do any LDAP search, doesn't necessarily have to be AD.

You just need a server and bind credentials, certificate, etc.

0 Karma

Builder

ok so basically, I should keep the SA-LDAP add-on as it is and upgrade to latest windows add-on.
Thanks for clarification.

0 Karma