Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Newbie Windows Installation Question

rzorz
Explorer
‎12-23-2020 03:37 PM

I was voluntold to install Splunk asap.  A VM was created with 2019 Datacenter.  I was "guided" by someone from another agency.  I downloaded and installed Splunk 8.1.1 and he walked me through the installation. 

One of our primary reasons for installing Splunk is to be able monitor Active Directory.  I did NOT use an AD account when installing Enterprise.  I guess it just lets you install with a made-up ID. 

So the questions are:  Can I monitor AD if I didn't install with an AD account?  If not, is the only option to reinstall?  

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-24-2020 12:29 PM

That must be new because every Windows UF I've installed has asked which inputs I want to enable.  So if the installer isn't going to do then you'll have to do it.

Create the following directory path: C:\Program Files\SplunkUniversalForwarder\etc\apps\my_AD_inputs\default.  In that directory, create and edit a file called 'inputs.conf'.  Add the following lines, changing 'checkpointInterval' to different value (in seconds, if desired).

[WinEventLog://Application]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Security]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest


[WinEventLog://System]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Forwarded Events]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Setup]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

 Create an index called 'wineventlog' on your Splunk server and then restart the UF.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-24-2020 05:32 AM

Yes, you can monitor AD without an AD account.  The best way to do that is to install the Splunk Universal Forwarder on the AD server and turn on the desired inputs in the inputs.conf file.  The UF will then send AD events to Splunk where you can monitor them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

rzorz
Explorer
‎12-24-2020 07:05 AM

Thanks for responding!  So we don't have to reinstall.  We're loading the Splunk Universal Forwarder on the DC's.  Can't say I've heard of the inputs.conf file.   

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-24-2020 08:09 AM

When you install the UF on the AD, the installer will ask you to select what you want to monitor.  That will update the inputs.conf file so you won't have to.  Later, however, any changes will have to be made by editing the file.  See https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configuretheuniversalforwarder

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

rzorz
Explorer
‎12-24-2020 08:20 AM

When I installed the Universal Forwarder the DC, it didn't ask for anything but where to install it and what UserID.  

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-24-2020 08:34 AM

Are you sure you installed the right file?  The name should start with "splunkforwarder".  The installer should ask for the IP address of your Splunk Enterprise system (so it knows where to forward data) as well as what events to forward.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

rzorz
Explorer
‎12-24-2020 09:21 AM

Says SplunkForwarder 8.1.1.  It asks for Credentials.  It asks for IP of deployment or receiver.  I put in Receiver and port, then it just installs.  Nothing else comes up, and then it's a service.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-24-2020 12:29 PM

That must be new because every Windows UF I've installed has asked which inputs I want to enable.  So if the installer isn't going to do then you'll have to do it.

Create the following directory path: C:\Program Files\SplunkUniversalForwarder\etc\apps\my_AD_inputs\default.  In that directory, create and edit a file called 'inputs.conf'.  Add the following lines, changing 'checkpointInterval' to different value (in seconds, if desired).

[WinEventLog://Application]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Security]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest


[WinEventLog://System]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Forwarded Events]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Setup]
checkpointInterval = 10
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

 Create an index called 'wineventlog' on your Splunk server and then restart the UF.

---
If this reply helps you, Karma would be appreciated.
Tags (1)
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...