- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm relatively new to Splunk and some advice on deploying apps. I need to deploy the Windows Infrastructure App to get DNS logs into Splunk. That apps requires the Powershell add-on on the server and deploy it to the Universal Forwarder on the domain controllers.
I've installed the Powershell app on the Splunk server. Before deploying to the Universal Forwarder, I need to configure the inputs.conf file. There's nothing I actually want from this. I'm only installing it so I can proceed with Windows Infrastructure App. I presume I need to log something but I don't know that for a fact. What do you recommend I put in this file?
Also, the installation instructions for the Powershell add-on were not as specific as the Windows add-on. Do I need to create a new index for the Powershell app?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi gph12
You don't actually need the Powershell add-on to get DNS logs into Splunk. There is a requirement to have the Powershell add-on installed if you want to get Active Directory topology information from a Windows Server 2012 R2 . Even if this is the use case, the Windows Infrastructure app would work without this information.
There is documentation on how to configure the DNS Add-on for the Window Infrastructure app here:
http://docs.splunk.com/Documentation/MSApp/latest/MSInfra/DownloadandconfiguretheSplunkAdd-onsforWin...
It involves placing the pre-configured add-on package on the forwarder. You can either use the default inputs or modify them to your needs.
Let me know how you get along.
j
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi gph12
You don't actually need the Powershell add-on to get DNS logs into Splunk. There is a requirement to have the Powershell add-on installed if you want to get Active Directory topology information from a Windows Server 2012 R2 . Even if this is the use case, the Windows Infrastructure app would work without this information.
There is documentation on how to configure the DNS Add-on for the Window Infrastructure app here:
http://docs.splunk.com/Documentation/MSApp/latest/MSInfra/DownloadandconfiguretheSplunkAdd-onsforWin...
It involves placing the pre-configured add-on package on the forwarder. You can either use the default inputs or modify them to your needs.
Let me know how you get along.
j
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the information. That helps. I will proceed tomorrow and let you know the result.
G
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
J, that worked out well for me. I deployedthe DNS app to a DC\DNS server and am now getting what I need.
The AD options in Splunk also look interesting and I may deploy that. I have the Powershell app installed on the Splunk server. Will I need to deploy that to a domain controller?
Thanks,
G
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For AD Splunk will get most of its data from the standard Windows Add-on (Splunk_TA_windows) as well as from the DC add-ons that are bundled with the Splunk App for Windows Infrastructure. Install one of these add-ons that macthes your DC version (TA-DomainController-2012R2, TA-DomainController-NT5 and TA-DomainController-NT6) . If you have a DC 2012R you also need to install the Powershell add-on as a requisite. You can see the install guide for Splunk App for Windows Infrastructure under Active Directory for this. Powershell is mainly used to get topology and health and not the actual authentication events.
