Getting Data In

Pulling data from non-domain machines

New Member

I have Splunk set up and working for all servers on my domain but I'm not understanding exactly how to to get non-domain machines included. I have a few dozen machines (all in different locations, none in any domain) that I need to get added. I've seen a bit on using forwarders to potentially pull it off but I'm not seeing how it's done. And yes, I'm extremely new to Splunk.

I'd guess I could set up local accounts on every single machine that all have the same credentials but that's not possible in the environment I'm working in.

Tags (1)
0 Karma

Super Champion

Splunk doesn't require any domain membership of any kind. Simply setup forwarders on each machine you want splunk to collect events on, and simply forward them all to one central splunk instance.

There is no authentication or authorization required between forwarders and the indexers (receivers).

If you are collecting logs over remote shares, then that's the only time I can think of when domain credentials are needed. And really that's not a splunk thing at all, it's just that a windows service needs to to run as a non-system user in order for it to access remote shares; but that's not the ideal splunk setup. Using individual forwarders is recommended.

Related docs: