Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

why Active Directory?? another way??

hanene
Explorer
‎02-09-2012 06:17 AM

Hi,

I found that in order to make splunk able to read Event Log remotely, or read network shares for log files, I have to use a domain account, an active directory.
1) I need to know whay we must use AD??
2) There is an other way to do it with out the use of AD.
For me, I don't use AD!!

Any solutions!!!

Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎02-09-2012 06:31 AM

That is just the way services work on Windows. Splunk's service (splunkd) must be running as a user that has permission to access the Event Log service on remote devices. Similarly, windows file shares require that the service accessing the share have the appropriate credentials.

If you aren't using AD, then you just need to make sure that the user the Splunk services are running as (let's say 'splunk_service_account') exists on the remote boxes that you are attempting to access and has the same password on those machines. Furthermore, the user account should have at least read permission on the file share and must be in the Administrator group on the remote machines to read Event Logs.

View solution in original post

Reply
Solved! Jump to solution

Drainy
Champion
‎02-09-2012 07:35 AM

Also, just in-case you aren't aware you can also use something called the Universal Forwarder to forward windows event logs back to your indexer. Basically instead of pulling them remotely you can install a small agent (the Universal Forwarder) on each windows box and configure it to forward the event logs to the remote indexer. This is quite a safe and fairly common way to get the event logs into Splunk.
The beauty of this approach is you can also do some basic filtering of what you want before it reaches the indexer so you aren't necessarily just throwing everything at the indexer.
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Introducingtheuniversalforwarder

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎02-09-2012 06:31 AM

That is just the way services work on Windows. Splunk's service (splunkd) must be running as a user that has permission to access the Event Log service on remote devices. Similarly, windows file shares require that the service accessing the share have the appropriate credentials.

If you aren't using AD, then you just need to make sure that the user the Splunk services are running as (let's say 'splunk_service_account') exists on the remote boxes that you are attempting to access and has the same password on those machines. Furthermore, the user account should have at least read permission on the file share and must be in the Administrator group on the remote machines to read Event Logs.

Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...