Getting Data In

why Active Directory?? another way??

Explorer

Hi,

I found that in order to make splunk able to read Event Log remotely, or read network shares for log files, I have to use a domain account, an active directory.
1) I need to know whay we must use AD??
2) There is an other way to do it with out the use of AD.
For me, I don't use AD!!

Any solutions!!!

1 Solution

Splunk Employee
Splunk Employee

That is just the way services work on Windows. Splunk's service (splunkd) must be running as a user that has permission to access the Event Log service on remote devices. Similarly, windows file shares require that the service accessing the share have the appropriate credentials.

If you aren't using AD, then you just need to make sure that the user the Splunk services are running as (let's say 'splunkserviceaccount') exists on the remote boxes that you are attempting to access and has the same password on those machines. Furthermore, the user account should have at least read permission on the file share and must be in the Administrator group on the remote machines to read Event Logs.

View solution in original post

Champion

Also, just in-case you aren't aware you can also use something called the Universal Forwarder to forward windows event logs back to your indexer. Basically instead of pulling them remotely you can install a small agent (the Universal Forwarder) on each windows box and configure it to forward the event logs to the remote indexer. This is quite a safe and fairly common way to get the event logs into Splunk.
The beauty of this approach is you can also do some basic filtering of what you want before it reaches the indexer so you aren't necessarily just throwing everything at the indexer.
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Introducingtheuniversalforwarder

Splunk Employee
Splunk Employee

That is just the way services work on Windows. Splunk's service (splunkd) must be running as a user that has permission to access the Event Log service on remote devices. Similarly, windows file shares require that the service accessing the share have the appropriate credentials.

If you aren't using AD, then you just need to make sure that the user the Splunk services are running as (let's say 'splunkserviceaccount') exists on the remote boxes that you are attempting to access and has the same password on those machines. Furthermore, the user account should have at least read permission on the file share and must be in the Administrator group on the remote machines to read Event Logs.

View solution in original post