Getting Data In

Splunk installations in two untrusted Windows domains

des_esse_err
Explorer

Hello,
I'm rather new to Splunk, so I haven't yet covered all the documented aspects of it, and have not found anything yet on this subject.
In other classical monitoring setups (such as NetIQ's Security Manager or MS SCOM), it is possible to install agents in other Windows domains which are not trusted by the domain where the solution's servers are running. Those agents are often called "unmanaged" agents, and because of this specific context, some functionality is lost (such as updating the agent software, because of credential problems). But in general, as long as the communication ports between the agent and the servers are opened, the agent is able to perform its job, and send its data back to the servers in the other domain.
So, I'm wondering how this type of context is tackled with Splunk. I guess that universal forwarders can be deployed (either through regular software distribution solution, or "manually") in the untrusted domain(s) with appropriate server information so that they can "link" back to those), running with their own domain specific service account, as long as their communication ports are left open between the two domains.
But then, what kind of side effects can we expect ? I'm thinking of things like:
- for the deployement monitor app
- for keeping the agent software up to date
- for specific apps, such as the Windows app or the Enterprise Security app (which I have not yet become familiar with)
- Anything else which might come into play

So, has anyone faced this type of setup ?
Where can I find information regarding different aspects of such a setup ?

Many thanks in advance.
For having worked with other SIEM solutions, this is an absolutely great piece of software, kind of... magical!

Have a nice day,

David

0 Karma
1 Solution

treinke
Builder

You can setup multiple LDAP connections to your Active Directory servers for authentication in to Splunk. As for the functionality between multiple untrusted domains, you shouldn't have a problem. The forwarder makes direct communication between the forwarder and the indexer. I have this setup in multiple domains where some are trusted and some are not. I have Windows and Linux working just fine together also. As long as the forwarder can talk to the Splunk ports on the indexer, you should be fine. I can't speak for the Enterprise Security app. For updating the Splunk software, use whatever your normal method for deploying software is. You can setup a deployment server so that once the software is installed the server and the end machine is pointed to the forwarder you can deploy the instructions to the end machines on what to monitor and log. As for documentation, Splunk does a great job of not only giving you the what the configuration file structure is but examples.

Splunk Documentation:

http://docs.splunk.com/

There are no answer without questions

View solution in original post

HarrisLarabee
New Member

It is very nice post I found some relative information in blow site.
please visit:
linking

0 Karma

des_esse_err
Explorer

Hello Anthony,
Many thanks for your quick reply and information.
I will indeed keep on going through all that doc as well, no small tasks, but usual with software of the sort.

Kind regards,

David

0 Karma

treinke
Builder

You can setup multiple LDAP connections to your Active Directory servers for authentication in to Splunk. As for the functionality between multiple untrusted domains, you shouldn't have a problem. The forwarder makes direct communication between the forwarder and the indexer. I have this setup in multiple domains where some are trusted and some are not. I have Windows and Linux working just fine together also. As long as the forwarder can talk to the Splunk ports on the indexer, you should be fine. I can't speak for the Enterprise Security app. For updating the Splunk software, use whatever your normal method for deploying software is. You can setup a deployment server so that once the software is installed the server and the end machine is pointed to the forwarder you can deploy the instructions to the end machines on what to monitor and log. As for documentation, Splunk does a great job of not only giving you the what the configuration file structure is but examples.

Splunk Documentation:

http://docs.splunk.com/

There are no answer without questions

e2eadmin
Explorer

If I have forwarders on Windows machines that are not on any domain or on a domain which I don't control, can we still forward WinEventLog://Security? Right now I am having problems with any of these non-domain Windows servers actually sending data. They connect to the deployment server and the 9997 destination port, but just don't send data. I have looked at the forwarder logs and they have errors about binding with a domain controller. So, in the forwarder inputs.conf file I have the following stanza that took care of the DC bind errors, but didn't fix the data sending problem:

[WinEventLog://Security]
disabled = 0
index = wineventlog
start_from = oldest
evt_resolve_ad_obj = 0

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...