I'm having a good time trying to configure Splunk for Active Directory on a universal forwarder using the remote data collection option. What groups does the user need to be added to in order to get this option to work? I have tried adding them to everything and I keep getting an error. Is it possible to use the the local option? I'm also having trouble enabling the WinEventLogs using the Windows TA inputs.conf file. They appear to be enabled but I'm not receiving any events. Where is the correct place to enable those events?
I have a Splunk indexer running on a Linux and one Domain Controller.
I believe so. It's just taking forever to pull in the WinEventLog:Security logs. It's taken over a day to get the prior days events. I was trying to figure out the settings to send only new data but I haven't got that worked out yet.
Everything else seems to be coming in fine.
You shouldn't need to change the Windows TA at all for the event logs to forward in. Please use the default Windows TA on your domain controllers, and that should get you working.
Also, to clarify, the user should be "Local System", or a domain user, not a local user to the system itself.
I'm running it as local user at this point. I can get the AD data when I add the TA for domain controllers but I can't seem to get the WinEventLogs when I modify the the Windows_TA. Is there an order of precedence issue here between the inputs.conf files?
Are you running the universal forwarder on your domain controller as local system or as a domain user? May I suggest running as local system for now to help get the system forwarding basic information first.