Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

why Active Directory?? another way??

hanene
Explorer
‎02-09-2012 06:17 AM

Hi,

I found that in order to make splunk able to read Event Log remotely, or read network shares for log files, I have to use a domain account, an active directory.
1) I need to know whay we must use AD??
2) There is an other way to do it with out the use of AD.
For me, I don't use AD!!

Any solutions!!!

Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎02-09-2012 06:31 AM

That is just the way services work on Windows. Splunk's service (splunkd) must be running as a user that has permission to access the Event Log service on remote devices. Similarly, windows file shares require that the service accessing the share have the appropriate credentials.

If you aren't using AD, then you just need to make sure that the user the Splunk services are running as (let's say 'splunk_service_account') exists on the remote boxes that you are attempting to access and has the same password on those machines. Furthermore, the user account should have at least read permission on the file share and must be in the Administrator group on the remote machines to read Event Logs.

View solution in original post

Reply
Solved! Jump to solution

Drainy
Champion
‎02-09-2012 07:35 AM

Also, just in-case you aren't aware you can also use something called the Universal Forwarder to forward windows event logs back to your indexer. Basically instead of pulling them remotely you can install a small agent (the Universal Forwarder) on each windows box and configure it to forward the event logs to the remote indexer. This is quite a safe and fairly common way to get the event logs into Splunk.
The beauty of this approach is you can also do some basic filtering of what you want before it reaches the indexer so you aren't necessarily just throwing everything at the indexer.
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Introducingtheuniversalforwarder

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎02-09-2012 06:31 AM

That is just the way services work on Windows. Splunk's service (splunkd) must be running as a user that has permission to access the Event Log service on remote devices. Similarly, windows file shares require that the service accessing the share have the appropriate credentials.

If you aren't using AD, then you just need to make sure that the user the Splunk services are running as (let's say 'splunk_service_account') exists on the remote boxes that you are attempting to access and has the same password on those machines. Furthermore, the user account should have at least read permission on the file share and must be in the Administrator group on the remote machines to read Event Logs.

Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...