Solved: Splunk auditing AD Manager Plus

AaronMoorcroft · ‎02-07-2013

Hi Guys I was wondering if anyone has got there Splunk instance setup to monitor a tool called AD Manager Plus ?

If so could you provide some detail on how you have it configured ?

Cheers

Aaron

EDIT... A little more info -

So what I need is for Splunk to monitor an application called AD Manager Plus, more specifically a host of folders within a directory that also then holds the log files of who logs in and does what.

Within each folder is the log file I need to audit, this application is on a different server but on the same site, reading on the forums and instructions it states that I should set up a Splunk forwarder on this system which in turn sends the info to the Indexer.

I’m a little confused as we seem to have 1 main forwarder for each site and from what I gather all required info is sent to them to be again sent onto the indexer, should I be looking at setting up a new forwarder for each and every new piece of information I need to cover, or is there a way to somehow have the forwarder already configured collect the logs I need to put though the indexer ?

Also I don’t know if this is an issue but each new user to log into AD Manager will have their own folder and log file created in the above directory will Splunk automagicly take this into account or will I have to set up separate collections for each user ?

I hope you understand my ramblings

AaronMoorcroft · ‎02-13-2013

Hi Guys

I now have this sorted, I installed the Universal Forwarder onto the system and added this into the inputs.conf

[monitor://C:\ManageEngine\ADManager Plus\audit-data\audit\technicians]
disabled = false
sourcetype = ADManager

I then restarted the Splunk UF - by typing in -

C:\Program Files\SplunkUniversalForwarder\bin\splunk restart

The way that the monitor config is set up means that any amendments and even news folders created by new logins to the AD Manager are also picked up.

View solution in original post

palicos · ‎02-13-2013

Hi Exactly what you meant to say unable to guess .

Please explain a bit more so that the explanation should be derieved.

Thanks.

AaronMoorcroft · ‎02-13-2013

Hi Guys

I now have this sorted, I installed the Universal Forwarder onto the system and added this into the inputs.conf

[monitor://C:\ManageEngine\ADManager Plus\audit-data\audit\technicians]
disabled = false
sourcetype = ADManager

I then restarted the Splunk UF - by typing in -

C:\Program Files\SplunkUniversalForwarder\bin\splunk restart

The way that the monitor config is set up means that any amendments and even news folders created by new logins to the AD Manager are also picked up.

treinke · ‎02-13-2013

So basically what I said.

There are no answer without questions

treinke · ‎02-07-2013

The easiest way might be to install the universal forwarder on the servers that AD Manager Plus is on. Using the monitor feature in the inputs.conf file you would be able to grab the log files. Here would be an example for the inputs.conf file.

[monitor://c:\program files\ADManagerPlus\logs\*\*.log]
disabled = false
followTail = 0
index = admanagerplus
sourcetype=aduserlogs

More on the inputs.conf file:
http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

There are no answer without questions

AaronMoorcroft · ‎02-08-2013

Brilliant thanks for your help I will give this a shot.

treinke · ‎02-08-2013

No, that is fine. I have the Splunk Universal Forwarder on all my machines that are DC, DNS, and DHCP. They then send their logs to the central indexer.

There are no answer without questions

AaronMoorcroft · ‎02-08-2013

would having more than one forwarder on the same site cause any issues, or is it a case of you can have as many as required so for arguments sake,

1 forwarder on an exchange box
1 forwarder on an AV box
1 forwarder on a application box

Splunk auditing AD Manager Plus

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life