Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why should I install Splunk on Domain Controllers?

medma1934
New Member
‎01-10-2017 01:20 PM

Currently debating installing Splunk on all Domain Controllers. Have a back and forth with my colleagues and security team as to if there is a real need for Splunk to be on all DC's. Currently using Splunk 6.5.1 on 6 DC's within 2 sites out of 11 DC's within 4 sites.

Debate is that it should only be installed on the PDC, however others say it should be installed on all. Any suggestions greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2017 02:27 PM

I hope you mean you install Splunk Universal Forwarders (SUF) on your DCs rather than Splunk Core.

I think the decision comes down to what behavior you want when a DC not logging to Splunk becomes primary. When a secondary DC takes over as primary, it should would be nice to have that event logged in Splunk, which probably won't happen if not all DCs run SUF. Also, whatever dashboards or alerts you have will continue to function uninterrupted if the new PDC is already logging to Splunk.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2017 02:27 PM

I hope you mean you install Splunk Universal Forwarders (SUF) on your DCs rather than Splunk Core.

I think the decision comes down to what behavior you want when a DC not logging to Splunk becomes primary. When a secondary DC takes over as primary, it should would be nice to have that event logged in Splunk, which probably won't happen if not all DCs run SUF. Also, whatever dashboards or alerts you have will continue to function uninterrupted if the new PDC is already logging to Splunk.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

medma1934
New Member
‎01-11-2017 08:56 AM

Thanks. on to battle.

Appreciate the feed back.

-Mike

0 Karma
Reply
Solved! Jump to solution

medma1934
New Member
‎01-11-2017 06:36 AM

Thanks, Splunk agent is the only thing running on a few Domain Controllers. Ultimately would like to put on all remaining DC but the pushback from the team is why? The team thinks that running splunk agent on the PDC is enough. Other than the reason of what if you move PDC to another it will log uninterrupted, i find myself having a hard time justifying why Splunk agent should be on all.

As i understand, Most events are replicated across all Domain Controllers for Authentication purposes of a domain but security events as i understand dont. I am in favor of adding Splunk agent more so because of security events in this day and age.

Appreciate your info.

Thanks

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-11-2017 06:57 AM

Your security concerns are well-founded. An attacker on your SDCs might go unnoticed without Splunk logging.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...