I am working on deploying the Splunk Add-on for Microsoft Active directory. Some documents suggest to unzip splunk-add-on-for-microsoft-active-directory_100.tgz to folder and copy to Z:\Program Files\Splunk\etc\deployment-apps folder.
Other document suggests to use Splunk Web interface, go to Manage Apps > add new app and point to splunk-add-on-for-microsoft-active-directory_100.tgz.
When I tried first method, it did not work for me as later I learned that I was suppose to create "Local" and put "inputs.conf" in that folder manually
When I used second method I got the desired results automatically
What method is preferred?
Thanks in advance.
Thanks for taking time to reply, I have gone through almost all of the different versions of splunk docs about deploying Splunk add on for Microsoft Active Directory.
Each document has little difference. My basic question was what is the difference between deploying Splunk add on for Microsoft Active Directory which is described in the below document. I have single server with splunk enterprise and Microsoft Active Directory installed on separate servers. The idea was to collect Active directory data and security logs from the domain controller.
I first tried these 2 documents exactly as it says. I did not get any Active directory related index created such as "msad" "perfmon" etc and nor did I get any security logs pulled form the domain controller where I installed the universal forwarder and deployed the application.
Instead I got the active directory data in the main index rather then its own index as per defined in inputs.conf. May be I was suppose to create a folder Local and put inputs.conf in that folder but that is not specified in these 2 procedures.
So I tried these...
Then I saw below procedure
which talks about login to splunk app, (Webinterface) go to apps>manage apps> add > and add the app downloaded in the form of splunk-add-on-for-microsoft-active-directory_100.tgz file. Once I did this, suddenly I got index created "msad" "permon" etc and I got the AD data in the msad instead of main. Still I have to create sparate forwarded input and create input for security logs for domain controller.
So I dont understand what is the difference between manually expanding add on file to folder, then copy to deployed apps and then restarting splunk and second methond of using Splunk console and adding app using Gui..
I wish there is one consistent method of deploying splunk add on for active directory rather then many different documents.
sorry but I don't understand your need:
To unzip splunk-add-on-for-microsoft-active-directory_100.tgz to folder and copy it to $SPLUNK_HOME\etc\deployment-apps folder is the method to deploy an app from the Deployment Server to other servers, but you you have also to configure Forwarders as Deployment Client and create a Server Class.
If instead you want to manually install your Add-On, you can unzip splunk-add-on-for-microsoft-active-directory_100.tgz to folder and copy it to $SPLUNK_HOME\Splunk\etc\apps folder (and restart Splunk).
In addition I don't understand when you speak about web interface: usually this Add-on is installed on a Forwarder on Domain Controllers and UF haven't web interface.
Every way as described in documentation, the best way is to deploy Apps using a Deployment Server (see https://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/DeploytheSplunkAdd-onsforActiveDirectory ).
If you think the manual steps for Microsoft Active directory Add On is missing a required step in the documentation and the documentation is on Splunk Docs, then you can always provide a feedback section provided at the bottom of the documentation so that the Technical Writer will be able to review and rectify the same.