Installation

Newbie Windows Installation Question

rzorz
Explorer

I was voluntold to install Splunk asap.  A VM was created with 2019 Datacenter.  I was "guided" by someone from another agency.  I downloaded and installed Splunk 8.1.1 and he walked me through the installation. 

One of our primary reasons for installing Splunk is to be able monitor Active Directory.  I did NOT use an AD account when installing Enterprise.  I guess it just lets you install with a made-up ID. 

So the questions are:  Can I monitor AD if I didn't install with an AD account?  If not, is the only option to reinstall?  

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

That must be new because every Windows UF I've installed has asked which inputs I want to enable.  So if the installer isn't going to do then you'll have to do it.

Create the following directory path: C:\Program Files\SplunkUniversalForwarder\etc\apps\my_AD_inputs\default.  In that directory, create and edit a file called 'inputs.conf'.  Add the following lines, changing 'checkpointInterval' to different value (in seconds, if desired).

[WinEventLog://Application]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Security]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest


[WinEventLog://System]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Forwarded Events]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Setup]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

 Create an index called 'wineventlog' on your Splunk server and then restart the UF.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Tags (1)

richgalloway
SplunkTrust
SplunkTrust

Yes, you can monitor AD without an AD account.  The best way to do that is to install the Splunk Universal Forwarder on the AD server and turn on the desired inputs in the inputs.conf file.  The UF will then send AD events to Splunk where you can monitor them.

---
If this reply helps you, Karma would be appreciated.
0 Karma

rzorz
Explorer

Thanks for responding!  So we don't have to reinstall.  We're loading the Splunk Universal Forwarder on the DC's.  Can't say I've heard of the inputs.conf file.   

0 Karma

richgalloway
SplunkTrust
SplunkTrust

When you install the UF on the AD, the installer will ask you to select what you want to monitor.  That will update the inputs.conf file so you won't have to.  Later, however, any changes will have to be made by editing the file.  See https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configuretheuniversalforwarder

---
If this reply helps you, Karma would be appreciated.
0 Karma

rzorz
Explorer

When I installed the Universal Forwarder the DC, it didn't ask for anything but where to install it and what UserID.  

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you sure you installed the right file?  The name should start with "splunkforwarder".  The installer should ask for the IP address of your Splunk Enterprise system (so it knows where to forward data) as well as what events to forward.

---
If this reply helps you, Karma would be appreciated.
0 Karma

rzorz
Explorer

Says SplunkForwarder 8.1.1.  It asks for Credentials.  It asks for IP of deployment or receiver.  I put in Receiver and port, then it just installs.  Nothing else comes up, and then it's a service.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That must be new because every Windows UF I've installed has asked which inputs I want to enable.  So if the installer isn't going to do then you'll have to do it.

Create the following directory path: C:\Program Files\SplunkUniversalForwarder\etc\apps\my_AD_inputs\default.  In that directory, create and edit a file called 'inputs.conf'.  Add the following lines, changing 'checkpointInterval' to different value (in seconds, if desired).

[WinEventLog://Application]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Security]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest


[WinEventLog://System]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Forwarded Events]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Setup]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

 Create an index called 'wineventlog' on your Splunk server and then restart the UF.

---
If this reply helps you, Karma would be appreciated.
Tags (1)
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...