I was voluntold to install Splunk asap. A VM was created with 2019 Datacenter. I was "guided" by someone from another agency. I downloaded and installed Splunk 8.1.1 and he walked me through the installation.
One of our primary reasons for installing Splunk is to be able monitor Active Directory. I did NOT use an AD account when installing Enterprise. I guess it just lets you install with a made-up ID.
So the questions are: Can I monitor AD if I didn't install with an AD account? If not, is the only option to reinstall?
That must be new because every Windows UF I've installed has asked which inputs I want to enable. So if the installer isn't going to do then you'll have to do it.
Create the following directory path: C:\Program Files\SplunkUniversalForwarder\etc\apps\my_AD_inputs\default. In that directory, create and edit a file called 'inputs.conf'. Add the following lines, changing 'checkpointInterval' to different value (in seconds, if desired).
[WinEventLog://Application]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest
[WinEventLog://Security]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest
[WinEventLog://System]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest
[WinEventLog://Forwarded Events]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest
[WinEventLog://Setup]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest
Create an index called 'wineventlog' on your Splunk server and then restart the UF.
Yes, you can monitor AD without an AD account. The best way to do that is to install the Splunk Universal Forwarder on the AD server and turn on the desired inputs in the inputs.conf file. The UF will then send AD events to Splunk where you can monitor them.
Thanks for responding! So we don't have to reinstall. We're loading the Splunk Universal Forwarder on the DC's. Can't say I've heard of the inputs.conf file.
When you install the UF on the AD, the installer will ask you to select what you want to monitor. That will update the inputs.conf file so you won't have to. Later, however, any changes will have to be made by editing the file. See https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configuretheuniversalforwarder
When I installed the Universal Forwarder the DC, it didn't ask for anything but where to install it and what UserID.
Are you sure you installed the right file? The name should start with "splunkforwarder". The installer should ask for the IP address of your Splunk Enterprise system (so it knows where to forward data) as well as what events to forward.
Says SplunkForwarder 8.1.1. It asks for Credentials. It asks for IP of deployment or receiver. I put in Receiver and port, then it just installs. Nothing else comes up, and then it's a service.
That must be new because every Windows UF I've installed has asked which inputs I want to enable. So if the installer isn't going to do then you'll have to do it.
Create the following directory path: C:\Program Files\SplunkUniversalForwarder\etc\apps\my_AD_inputs\default. In that directory, create and edit a file called 'inputs.conf'. Add the following lines, changing 'checkpointInterval' to different value (in seconds, if desired).
[WinEventLog://Application]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest
[WinEventLog://Security]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest
[WinEventLog://System]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest
[WinEventLog://Forwarded Events]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest
[WinEventLog://Setup]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest
Create an index called 'wineventlog' on your Splunk server and then restart the UF.