Re: Windows App for AD - Question about forwarding...

TitanAE · ‎09-05-2018

I'm interested in using the Windows AD App for Splunk.

The only issue - Splunk is located in a remote data center.

I've experimented with forwarding the data in the raw, via a universal forwarder. And then using admon & perfmon. However it doesn't seem to give me the data I want to view in Splunk (mainly failed login attempts). And it doesn't play nice with the Windows App for Splunk.

Thank you in advanced for your help, I greatly appreciate it.

titanae

koshyk · ‎09-06-2018

So to collect AD events
- Install Universal Forwarder in your AD host
- Ensure your UF have admin privileges or configure Service Account with relevant privileges to read EventLogs
- Copy entries (stanza & contents) from Splunk_TA_Windows inputs.conf especially [WinEventLog://Application] and [WinEventLog://Security] and ensure it is disabled = 0
- You can either create an inputs app of your own and put the two entries or You can send whole of Splunk_TA_Windows with above inputs enabled in "local" folder. You can send to another index if you need.
- Ensure your UF sends the data to your Splunk Enterprise Installation
- In your Indexer and Search Head (and Heavy Forwarder) , ensure Splunk_TA_Windows is present
- then these should come to your specified index with sourcetypes of [WinEventLog:Application] and [WinEventLog:Security]

adonio · ‎09-05-2018

if you are interested in login, log out, user changing, group adding etc, enable the WInEventLog:Security input on your AD server and send data directly to Splunk.
make sure you have the Windows (or AD) TA installed on your Indexers and Search heads as well

Windows App for AD - Question about forwarding AD Events to remote splunk instance

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability