- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When installing the Universal Forwarder on a Domain Controller, are we supposed to check the box for "Add user as local administrator"?
Hello. Please see the screenshot on this post, its from the Splunk Universal Forwarder (UF) installer steps. Are we supposed to check the box for “Add user as local administrator” when installing a UF on a Domain Controller or leave it unchecked?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thankyou @isoutamo the "Splunk Enterprise" => Splunk UF is precisely why it's confusing 🙂
I'll go back and have another read through those docs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi johannterc,
please refer to the docs here to decide on an the right windows user
http://docs.splunk.com/Documentation/Splunk/6.5.2/Installation/ChoosetheuserSplunkshouldrunas
http://docs.splunk.com/Documentation/Forwarder/6.5.2/Forwarder/InstallaWindowsuniversalforwarderfrom...
Hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Adonio. I already know what the windows user should be, I just am not sure if this user needs to actually be granted local admin rights on my Domain Controller (since I am installing UFs on my DCs).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
please take a look here:
http://docs.splunk.com/Documentation/Forwarder/6.5.2/Forwarder/InstallaWindowsuniversalforwarderfrom...
per doc, check the box in your screenshot
regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm still googling this question, as it's still not clear in the docs, but neither of these links work anymore!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Usually it works when you just replace versio number on url with word latest like https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands
Here is some more docs for monitoring AD
Requirements
You must meet the following requirements to monitor an Active Directory schema:
- Splunk Enterprise must run on Windows. See Install on Windows in the Installation Manual.
- Splunk Enterprise must run as a domain user. See Choose the Windows user Splunk Enterprise should run as in the Installation Manual.
- The user Splunk Enterprise runs as must have read access to all AD objects that you want to monitor.
You should read "Splunk Enterprise" => Splunk UF
It's not mater even 1st docs are for SplunkCloud as you are using separate UF for monitoring. If you want you can read the same manual for Enterprise just switching product to Enterprise.
r. Ismo