Hi Guys I was wondering if anyone has got there Splunk instance setup to monitor a tool called AD Manager Plus ?
If so could you provide some detail on how you have it configured ?
EDIT... A little more info -
So what I need is for Splunk to monitor an application called AD Manager Plus, more specifically a host of folders within a directory that also then holds the log files of who logs in and does what.
Within each folder is the log file I need to audit, this application is on a different server but on the same site, reading on the forums and instructions it states that I should set up a Splunk forwarder on this system which in turn sends the info to the Indexer.
I’m a little confused as we seem to have 1 main forwarder for each site and from what I gather all required info is sent to them to be again sent onto the indexer, should I be looking at setting up a new forwarder for each and every new piece of information I need to cover, or is there a way to somehow have the forwarder already configured collect the logs I need to put though the indexer ?
Also I don’t know if this is an issue but each new user to log into AD Manager will have their own folder and log file created in the above directory will Splunk automagicly take this into account or will I have to set up separate collections for each user ?
I hope you understand my ramblings
The easiest way might be to install the universal forwarder on the servers that AD Manager Plus is on. Using the monitor feature in the inputs.conf file you would be able to grab the log files. Here would be an example for the inputs.conf file.
[monitor://c:\program files\ADManagerPlus\logs\*\*.log] disabled = false followTail = 0 index = admanagerplus sourcetype=aduserlogs
More on the inputs.conf file:
would having more than one forwarder on the same site cause any issues, or is it a case of you can have as many as required so for arguments sake,
1 forwarder on an exchange box
1 forwarder on an AV box
1 forwarder on a application box
No, that is fine. I have the Splunk Universal Forwarder on all my machines that are DC, DNS, and DHCP. They then send their logs to the central indexer.
I now have this sorted, I installed the Universal Forwarder onto the system and added this into the inputs.conf
disabled = false
sourcetype = ADManager
I then restarted the Splunk UF - by typing in -
C:\Program Files\SplunkUniversalForwarder\bin\splunk restart
The way that the monitor config is set up means that any amendments and even news folders created by new logins to the AD Manager are also picked up.
Hi Exactly what you meant to say unable to guess .
Please explain a bit more so that the explanation should be derieved.