Monitoring Splunk

Can Active Directory be monitored by Splunk Enterprise which is running on linux?

nandhini_amir
Engager

Help me out with this question...
Can AD be monitored by the Splunk enterprise which is running on linux..? I refered to the splunk documentation of
https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/MonitorActiveDirectory which mentioned that the splunk enterprise should run on windows..

If AD can be monitored by splunk which is running on linux... how can i do that ? and kindly provide any documentation regarding that.

Tags (1)
0 Karma
1 Solution

KARANMALHOTRA
Path Finder

Yes, you can monitor AD even if your Splunk Enterprise is running on Linux or any other OS.

You don't need to have the whole Splunk Enterprise running on the AD server to monitor it. You need to use a Universal Forwarder on the AD server and to that you can deploy the Splunk Add-on for Microsoft Active Directory

This addon will collect the required information for your AD instance and send it to your Indexer. We are using this method extensively and our Splunk Enterprise servers are all on Linux.

The companion app is called Splunk App for Windows Infrastructure which will have your dashboards for the AD.

You may also check this addon based on your requirement Splunk Supporting Add-on for Active Directory

View solution in original post

KARANMALHOTRA
Path Finder

Yes, you can monitor AD even if your Splunk Enterprise is running on Linux or any other OS.

You don't need to have the whole Splunk Enterprise running on the AD server to monitor it. You need to use a Universal Forwarder on the AD server and to that you can deploy the Splunk Add-on for Microsoft Active Directory

This addon will collect the required information for your AD instance and send it to your Indexer. We are using this method extensively and our Splunk Enterprise servers are all on Linux.

The companion app is called Splunk App for Windows Infrastructure which will have your dashboards for the AD.

You may also check this addon based on your requirement Splunk Supporting Add-on for Active Directory

nandhini_amir
Engager

Thanks Karan, for sharing your answer.
I need little more clarification, kindly help me out with this.

What is the advantages and disadvantages of splunk enterprise running on linux vs windows to monitor AD server.
As in the documentation it is mentioned to use splunk enterprise on windows for monitoring AD server. If i was supposed to use splunk on linux.. what might be the problem arise..?

0 Karma

KARANMALHOTRA
Path Finder

Hi Nandhini,
The choice of OS running Splunk Enterprise really does not matter in the montioring of the AD server. As the monitoring metrics, events, logs are all captured by the Universal Forwarder (which will be for the specific OS version where your AD is installed)

The approach I am suggesting is this. In this approach your Splunk Enterpise can be installed on any OS platform.
AD Server ( Splunk UF with AD addons) --------> Splunk Enterprise (Indexing, Alerting and Dashboarding)

The article you had linked is fundamentally different as it is considering installing Splunk Enterprise on your AD server itself, which to be fair will not be scalable as you may have many AD servers in the future.

I'm afraid that for exact differences in both approaches, you may have to read through the notes in the documentation. Hope this helps.

0 Karma

nandhini_amir
Engager

Hi Karan,

I have a question, kindly give a clarification about it 🙂
You have mentioned that Extensively you are using splunk enterprise on linux for windows AD server.
Does all the dashboards are lighting up in the splunk app for windows Infrastructure?
And also Does the documentation which I mentioned is purely regarding the installation of the splunk enterprise on AD server itself.

0 Karma

nandhini_amir
Engager

Thanks Karan, your answer really helped me.. 🙂

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...