All Apps and Add-ons

Windows App for AD - Question about forwarding AD Events to remote splunk instance

TitanAE
New Member

I'm interested in using the Windows AD App for Splunk.

The only issue - Splunk is located in a remote data center.

I've experimented with forwarding the data in the raw, via a universal forwarder. And then using admon & perfmon. However it doesn't seem to give me the data I want to view in Splunk (mainly failed login attempts). And it doesn't play nice with the Windows App for Splunk.

Thank you in advanced for your help, I greatly appreciate it.

  • titanae
0 Karma

koshyk
Super Champion

So to collect AD events
- Install Universal Forwarder in your AD host
- Ensure your UF have admin privileges or configure Service Account with relevant privileges to read EventLogs
- Copy entries (stanza & contents) from Splunk_TA_Windows inputs.conf especially [WinEventLog://Application] and [WinEventLog://Security] and ensure it is disabled = 0
- You can either create an inputs app of your own and put the two entries or You can send whole of Splunk_TA_Windows with above inputs enabled in "local" folder. You can send to another index if you need.
- Ensure your UF sends the data to your Splunk Enterprise Installation
- In your Indexer and Search Head (and Heavy Forwarder) , ensure Splunk_TA_Windows is present
- then these should come to your specified index with sourcetypes of [WinEventLog:Application] and [WinEventLog:Security]

0 Karma

adonio
Ultra Champion

if you are interested in login, log out, user changing, group adding etc, enable the WInEventLog:Security input on your AD server and send data directly to Splunk.
make sure you have the Windows (or AD) TA installed on your Indexers and Search heads as well

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...