Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Can I monitor several active directory domains using a single Splunk installation?

stefstef
Engager
‎08-24-2011 04:35 AM

I'm currently in the process of evaluating Splunk for active directory monitoring. What I'm interested in, is using it to monitor several domains using universal forwarders. What I've done so far is to set up a Splunk server using the local system account, and then I've set up universal forwarders in two domains using domain accounts and enabling active directory monitoring during the setup.

Unfortunately this isn't working for me, as initially I got some data from the AD monitor running in the same domain as the Splunk server, but that only lasted for about an hour.

Is what I'm attempting to do possible, and if so, what am I doing wrong?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

stefstef
Engager
‎08-25-2011 08:25 AM

I've got data streaming to my indexer now and that's happened without any intervention on my part. I guess I must just have been too impatient. Thanks for the reply malmoore.

View solution in original post

Reply
Solved! Jump to solution
Solution

stefstef
Engager
‎08-25-2011 08:25 AM

I've got data streaming to my indexer now and that's happened without any intervention on my part. I guess I must just have been too impatient. Thanks for the reply malmoore.

Reply
Solved! Jump to solution

malmoore
Splunk Employee
Splunk Employee
‎08-29-2011 10:10 AM

No problem. In theory your setup should work as described, but you should make sure that any data tied to user accounts comes into the indexer as expected.

0 Karma
Reply
Solved! Jump to solution

malmoore
Splunk Employee
Splunk Employee
‎08-24-2011 04:20 PM

Questions for you:

  • Are your UFs configured to run as a local administrator on the machines on which they are installed?

  • Does the UF user have the ability to read the AD schema?

  • Have you checked your splunkd.log and looked for errors on each of your forwarders? What do those errors say (in particular the UF that's not sending any data)?

  • Are the domains part of the same AD forest?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...