Hello, I am new to the Splunk interface and I have been recently given a task to configure Splunk to monitor the following non-default Windows event log:
Log Name: Microsoft-AzureADPasswordProtection-DCAgent/Admin
Source: Microsoft-AzureADPasswordProtection-DCAgent
Date: 6/17/2019 5:42:22 AM
Event ID: 10014
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: ourdcserverA.ourdomain.com
Description:
The changed password for the specified user was validated as compliant with the current Azure password policy.
UserName: Leroy
FullName: Jenkins
So I went ahead and modified the inputs.conf on the central Splunk Enterprise server. Below is an example of the inputs.conf I have currently configured:
[default]
host = oursplunkserver
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[WinEventLog://Microsoft-AzureADPasswordProtection-DCAgent/Operational]
host = ourdcserverA
disabled = 0
Now as you can see I've specified the inputs.conf file to look for that event from a domain controller (ourdcservera) but whenever I save the input file and verify if the change has been reflected using the web browser, it only shows that setting applying to the localhost which is the Splunk Enterprise Server (oursplunkserver) and not the domain controller(ourserverdca).
I would like to know what I am missing in the configuration so I am able to monitor this particular log from all our domain controllers? Please help and thank you!
The inputs.conf file has to be located on the forwarder that is collecting the data.
So you would need to make this modification on ourdcservera and not on the Splunk Enterprise server (oursplunkserver).
Hi jnudell! Thank you for your response. My next question is are forwarders required for collecting these types of logs from all of the domain controllers?
I was reading the following article and it looks like forwarders and WMI can both be used for collecting the log data. I am trying the "inputs.config" method but it is to no avail.
https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/MonitorWindowseventlogdata
Ideally, you would install a forwarder on each of the domain controllers that you want to collect Windows Event Log information for. There is a process that describes remote log collection, but that involves creating a domain account that Splunk can run as, and then giving that domain account the permissions to read those log files across all your domain controllers. This might be more complicated than just setting up a standard inputs.conf file that you can deploy to your domain controllers for collecting log information.