I'm interested in using the Windows AD App for Splunk.
The only issue - Splunk is located in a remote data center.
I've experimented with forwarding the data in the raw, via a universal forwarder. And then using admon & perfmon. However it doesn't seem to give me the data I want to view in Splunk (mainly failed login attempts). And it doesn't play nice with the Windows App for Splunk.
Thank you in advanced for your help, I greatly appreciate it.
So to collect AD events
- Install Universal Forwarder in your AD host
- Ensure your UF have admin privileges or configure Service Account with relevant privileges to read EventLogs
- Copy entries (stanza & contents) from Splunk_TA_Windows inputs.conf especially [WinEventLog://Application]
and [WinEventLog://Security]
and ensure it is disabled = 0
- You can either create an inputs app of your own and put the two entries or You can send whole of Splunk_TA_Windows with above inputs enabled in "local" folder. You can send to another index if you need.
- Ensure your UF sends the data to your Splunk Enterprise Installation
- In your Indexer and Search Head (and Heavy Forwarder) , ensure Splunk_TA_Windows is present
- then these should come to your specified index with sourcetypes of [WinEventLog:Application]
and [WinEventLog:Security]
if you are interested in login, log out, user changing, group adding etc, enable the WInEventLog:Security input on your AD server and send data directly to Splunk.
make sure you have the Windows (or AD) TA installed on your Indexers and Search heads as well