Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

why Active Directory?? another way??

hanene
Explorer
‎02-09-2012 06:17 AM

Hi,

I found that in order to make splunk able to read Event Log remotely, or read network shares for log files, I have to use a domain account, an active directory.
1) I need to know whay we must use AD??
2) There is an other way to do it with out the use of AD.
For me, I don't use AD!!

Any solutions!!!

Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎02-09-2012 06:31 AM

That is just the way services work on Windows. Splunk's service (splunkd) must be running as a user that has permission to access the Event Log service on remote devices. Similarly, windows file shares require that the service accessing the share have the appropriate credentials.

If you aren't using AD, then you just need to make sure that the user the Splunk services are running as (let's say 'splunk_service_account') exists on the remote boxes that you are attempting to access and has the same password on those machines. Furthermore, the user account should have at least read permission on the file share and must be in the Administrator group on the remote machines to read Event Logs.

View solution in original post

Reply
Solved! Jump to solution

Drainy
Champion
‎02-09-2012 07:35 AM

Also, just in-case you aren't aware you can also use something called the Universal Forwarder to forward windows event logs back to your indexer. Basically instead of pulling them remotely you can install a small agent (the Universal Forwarder) on each windows box and configure it to forward the event logs to the remote indexer. This is quite a safe and fairly common way to get the event logs into Splunk.
The beauty of this approach is you can also do some basic filtering of what you want before it reaches the indexer so you aren't necessarily just throwing everything at the indexer.
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Introducingtheuniversalforwarder

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎02-09-2012 06:31 AM

That is just the way services work on Windows. Splunk's service (splunkd) must be running as a user that has permission to access the Event Log service on remote devices. Similarly, windows file shares require that the service accessing the share have the appropriate credentials.

If you aren't using AD, then you just need to make sure that the user the Splunk services are running as (let's say 'splunk_service_account') exists on the remote boxes that you are attempting to access and has the same password on those machines. Furthermore, the user account should have at least read permission on the file share and must be in the Administrator group on the remote machines to read Event Logs.

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...