Help me out with this question...
Can AD be monitored by the Splunk enterprise which is running on linux..? I refered to the splunk documentation of
https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/MonitorActiveDirectory which mentioned that the splunk enterprise should run on windows..
If AD can be monitored by splunk which is running on linux... how can i do that ? and kindly provide any documentation regarding that.
Yes, you can monitor AD even if your Splunk Enterprise is running on Linux or any other OS.
You don't need to have the whole Splunk Enterprise running on the AD server to monitor it. You need to use a Universal Forwarder on the AD server and to that you can deploy the Splunk Add-on for Microsoft Active Directory
This addon will collect the required information for your AD instance and send it to your Indexer. We are using this method extensively and our Splunk Enterprise servers are all on Linux.
The companion app is called Splunk App for Windows Infrastructure which will have your dashboards for the AD.
You may also check this addon based on your requirement Splunk Supporting Add-on for Active Directory
Yes, you can monitor AD even if your Splunk Enterprise is running on Linux or any other OS.
You don't need to have the whole Splunk Enterprise running on the AD server to monitor it. You need to use a Universal Forwarder on the AD server and to that you can deploy the Splunk Add-on for Microsoft Active Directory
This addon will collect the required information for your AD instance and send it to your Indexer. We are using this method extensively and our Splunk Enterprise servers are all on Linux.
The companion app is called Splunk App for Windows Infrastructure which will have your dashboards for the AD.
You may also check this addon based on your requirement Splunk Supporting Add-on for Active Directory
Thanks Karan, for sharing your answer.
I need little more clarification, kindly help me out with this.
What is the advantages and disadvantages of splunk enterprise running on linux vs windows to monitor AD server.
As in the documentation it is mentioned to use splunk enterprise on windows for monitoring AD server. If i was supposed to use splunk on linux.. what might be the problem arise..?
Hi Nandhini,
The choice of OS running Splunk Enterprise really does not matter in the montioring of the AD server. As the monitoring metrics, events, logs are all captured by the Universal Forwarder (which will be for the specific OS version where your AD is installed)
The approach I am suggesting is this. In this approach your Splunk Enterpise can be installed on any OS platform.
AD Server ( Splunk UF with AD addons) --------> Splunk Enterprise (Indexing, Alerting and Dashboarding)
The article you had linked is fundamentally different as it is considering installing Splunk Enterprise on your AD server itself, which to be fair will not be scalable as you may have many AD servers in the future.
I'm afraid that for exact differences in both approaches, you may have to read through the notes in the documentation. Hope this helps.
Hi Karan,
I have a question, kindly give a clarification about it 🙂
You have mentioned that Extensively you are using splunk enterprise on linux for windows AD server.
Does all the dashboards are lighting up in the splunk app for windows Infrastructure?
And also Does the documentation which I mentioned is purely regarding the installation of the splunk enterprise on AD server itself.
Thanks Karan, your answer really helped me.. 🙂