I am using splunk enterprise on linux server. I want to monitor active directory logs. I installed the universal splunk forwarder on windows server and configuring ports and accounts.
I am using splunk enterprise and have not received logs from the active windows directory.
I installed addons for prerequisites.
you have to use the correct Technical AddOns (TAs).
See the documentation of Splunk App for Windows Infrastructure at https://docs.splunk.com/Documentation/MSApp/latest/MSInfra/AbouttheSplunkAppforMSInfrastructure to know which TAs to deploy and what to configure on Domain Controllers.
if you're satisfied by this answer, please accept and/or upvote it.
Bye, see next time.
Have you installed https://splunkbase.splunk.com/app/3207/ and enabled the required inputs?
check if there is any connectivity issue between the forwarder and indexer?
Are you getting _internal logs from the active directory server/windows?