I wanted to ask a fundamental question regarding specific logs collection.
The question is: Do we really pull logs from the AD by sticking an agent on that AD DC machine/s?
I have a feeling and I am almost 100% sure that we collect logs from the core machine not at the AD App layer.
Can someone confirm my assumptions, please, and how we actually pull out the AD logs?
Thank you All!
Hello @DanAlexander, In a Splunk environment, logs from Active Directory (AD) can be collected using various methods, including both agent-based and agentless approaches. Let's explore both options:
1. Agent-Based Approach: With the agent-based approach, you would install a Splunk Universal Forwarder (a lightweight data collection agent) on the AD domain controller machine(s). The Universal Forwarder is responsible for gathering logs from the specified sources on the machine and forwarding them to the Splunk indexer for indexing and storage.
The advantage of using the Universal Forwarder is that it allows you to filter and select the specific logs you want to collect from the AD DC machine(s), reducing unnecessary data transfer and storage.
2. Agentless Approach: In some cases, you can collect AD logs without directly installing an agent on the domain controller. This is achieved by using protocols such as syslog or Windows Event Forwarding (WEF). Here's how it works:
- Syslog: If your AD DC machine supports sending logs to a syslog server (e.g., using the syslog protocol), you can configure it to send relevant log data to a Splunk syslog server. The Splunk syslog server can then index and store these logs for analysis.
- Windows Event Forwarding (WEF): This is a built-in Windows feature that allows you to forward specific Windows event logs (e.g., security logs) from the AD DC to a central event collector. Splunk can act as the event collector, and you can configure the AD DC to forward the desired logs to your Splunk instance.
Both approaches are valid, and the choice between them depends on your organization's requirements, security policies, and technical constraints. If you are using a Splunk infrastructure, it is common to utilize the Universal Forwarder as it provides more control over log collection and allows filtering on the source machine before forwarding the data to Splunk.
Remember that whatever method you use, it is essential to ensure proper permissions and security considerations when collecting logs from sensitive systems like domain controllers.
Usually, the agent approach is preferable - where you can have an AD tree and install UF on the top to ingest the events. Also, you can provide specific DN/DC etc in the input configurations to better filter events.
Please hit Karma, if this helps!
Thanks for the reply @meetmshah,
I am aware of all forwarding models and we did implement them both.
I wanted to know the correct AD log source/s we need to pull out from the AD DC.
As you put [WinEventLog:Security] on a Universal Forwarder (that puls the DC machines logs not the AD ones), what would be the correct pointer to the AD raw logs?