Installation

Newbie Windows Installation Question

rzorz
Explorer

I was voluntold to install Splunk asap.  A VM was created with 2019 Datacenter.  I was "guided" by someone from another agency.  I downloaded and installed Splunk 8.1.1 and he walked me through the installation. 

One of our primary reasons for installing Splunk is to be able monitor Active Directory.  I did NOT use an AD account when installing Enterprise.  I guess it just lets you install with a made-up ID. 

So the questions are:  Can I monitor AD if I didn't install with an AD account?  If not, is the only option to reinstall?  

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

That must be new because every Windows UF I've installed has asked which inputs I want to enable.  So if the installer isn't going to do then you'll have to do it.

Create the following directory path: C:\Program Files\SplunkUniversalForwarder\etc\apps\my_AD_inputs\default.  In that directory, create and edit a file called 'inputs.conf'.  Add the following lines, changing 'checkpointInterval' to different value (in seconds, if desired).

[WinEventLog://Application]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Security]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest


[WinEventLog://System]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Forwarded Events]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Setup]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

 Create an index called 'wineventlog' on your Splunk server and then restart the UF.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Tags (1)

richgalloway
SplunkTrust
SplunkTrust

Yes, you can monitor AD without an AD account.  The best way to do that is to install the Splunk Universal Forwarder on the AD server and turn on the desired inputs in the inputs.conf file.  The UF will then send AD events to Splunk where you can monitor them.

---
If this reply helps you, Karma would be appreciated.
0 Karma

rzorz
Explorer

Thanks for responding!  So we don't have to reinstall.  We're loading the Splunk Universal Forwarder on the DC's.  Can't say I've heard of the inputs.conf file.   

0 Karma

richgalloway
SplunkTrust
SplunkTrust

When you install the UF on the AD, the installer will ask you to select what you want to monitor.  That will update the inputs.conf file so you won't have to.  Later, however, any changes will have to be made by editing the file.  See https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configuretheuniversalforwarder

---
If this reply helps you, Karma would be appreciated.
0 Karma

rzorz
Explorer

When I installed the Universal Forwarder the DC, it didn't ask for anything but where to install it and what UserID.  

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you sure you installed the right file?  The name should start with "splunkforwarder".  The installer should ask for the IP address of your Splunk Enterprise system (so it knows where to forward data) as well as what events to forward.

---
If this reply helps you, Karma would be appreciated.
0 Karma

rzorz
Explorer

Says SplunkForwarder 8.1.1.  It asks for Credentials.  It asks for IP of deployment or receiver.  I put in Receiver and port, then it just installs.  Nothing else comes up, and then it's a service.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That must be new because every Windows UF I've installed has asked which inputs I want to enable.  So if the installer isn't going to do then you'll have to do it.

Create the following directory path: C:\Program Files\SplunkUniversalForwarder\etc\apps\my_AD_inputs\default.  In that directory, create and edit a file called 'inputs.conf'.  Add the following lines, changing 'checkpointInterval' to different value (in seconds, if desired).

[WinEventLog://Application]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Security]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest


[WinEventLog://System]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Forwarded Events]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Setup]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

 Create an index called 'wineventlog' on your Splunk server and then restart the UF.

---
If this reply helps you, Karma would be appreciated.
Tags (1)
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...