Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to monitor Active Directory changes and securi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We want to monitor Active Directory changes and security Events We are planning to deploy the Universal forwarder to each domain controller. I am confused by the documentation. What is needed/best practice to accomplish this? Do we need to install add-ons to the universal forwarder? Can we just monitor Windows Event security logs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jared_anderson, you need to install the Universal forwarder and configure it to monitor these sources.
The following Monitor Windows event log data
says -
Windows event log (*.evt) files are in binary format. You cannot monitor them like you do a normal text file. The splunkd service monitors these binary files by using the appropriate APIs to read and index the data within the files.
Splunk Enterprise uses the following stanzas in inputs.conf to monitor the default Windows event logs:
# Windows platform specific input processor.
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
So,
Do we need to install add-ons to the universal forwarder?
Nope
Can we just monitor Windows Event security logs?
Yes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jared_anderson,
install the Splunk App for Windows Infrastructure: see installation specs at http://docs.splunk.com/Documentation/MSApp/latest/MSInfra/AbouttheSplunkAppforMSInfrastructure : you can find all the TAs to install and how to install them.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jared_anderson, you need to install the Universal forwarder and configure it to monitor these sources.
The following Monitor Windows event log data
says -
Windows event log (*.evt) files are in binary format. You cannot monitor them like you do a normal text file. The splunkd service monitors these binary files by using the appropriate APIs to read and index the data within the files.
Splunk Enterprise uses the following stanzas in inputs.conf to monitor the default Windows event logs:
# Windows platform specific input processor.
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
So,
Do we need to install add-ons to the universal forwarder?
Nope
Can we just monitor Windows Event security logs?
Yes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For some reason I can't mark your answer as "accept"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What benefit would there be to install add-ons to the universal forwarder. For example an active directory add-on?
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
