All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for Active Directory

knewter
Engager
‎06-13-2013 08:20 AM

I'm having a good time trying to configure Splunk for Active Directory on a universal forwarder using the remote data collection option. What groups does the user need to be added to in order to get this option to work? I have tried adding them to everything and I keep getting an error. Is it possible to use the the local option? I'm also having trouble enabling the WinEventLogs using the Windows TA inputs.conf file. They appear to be enabled but I'm not receiving any events. Where is the correct place to enable those events?

I have a Splunk indexer running on a Linux and one Domain Controller.

Thanks

0 Karma
Reply

jbernt_splunk
Splunk Employee
Splunk Employee
‎06-18-2013 09:13 AM

Groovy. Let us know if we can help further.

0 Karma
Reply

knewter
Engager
‎06-18-2013 09:07 AM

I believe so. It's just taking forever to pull in the WinEventLog:Security logs. It's taken over a day to get the prior days events. I was trying to figure out the settings to send only new data but I haven't got that worked out yet.

Everything else seems to be coming in fine.

0 Karma
Reply

jbernt_splunk
Splunk Employee
Splunk Employee
‎06-18-2013 09:03 AM

knewter, were you able to get data flowing in correctly?

0 Karma
Reply

knewter
Engager
‎06-13-2013 02:40 PM

Hmm, maybe it's the user I'm using then. I was just installing it with the Administrator account.

0 Karma
Reply

jbernt_splunk
Splunk Employee
Splunk Employee
‎06-13-2013 12:51 PM

You shouldn't need to change the Windows TA at all for the event logs to forward in. Please use the default Windows TA on your domain controllers, and that should get you working.
Also, to clarify, the user should be "Local System", or a domain user, not a local user to the system itself.

0 Karma
Reply

knewter
Engager
‎06-13-2013 12:37 PM

I'm running it as local user at this point. I can get the AD data when I add the TA for domain controllers but I can't seem to get the WinEventLogs when I modify the the Windows_TA. Is there an order of precedence issue here between the inputs.conf files?

0 Karma
Reply

jbernt_splunk
Splunk Employee
Splunk Employee
‎06-13-2013 12:14 PM

Hi knewter,
Are you running the universal forwarder on your domain controller as local system or as a domain user? May I suggest running as local system for now to help get the system forwarding basic information first.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...