Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can someone share documentation on the best process to verify domain controller logs in Splunk?

GIA
Path Finder
‎11-30-2023 05:19 PM

I am very new using Splunk but I am enjoying it a lot so far.

I am being tasked with writing a document on how to verify that all Domain Controller's logs are going into Splunk for the SecOps team to action on a daily basis. Can someone please point to a good document on this process? Thank you in advance! 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-30-2023 10:52 PM

Hi @GIA ,

I don't know at what step of the DC monitoring you are:

at first, you should take logs from your DCs using a Splunk Universal Forwarder.

On this UF you have to deploy the Splunk Add-On for Microsoft Windows (https://splunkbase.splunk.com/app/742), enabling all the stanzas.

Then you have to configure your UFs to send logs to a Splunk instance.

On this instance, you have to install the same Splunk Add-On for Microsoft Windows  and the Domain Controller Monitoring App for Splunk (https://splunkbase.splunk.com/app/6698).

This last app should give you some Use Cases for monitoring your DCs, if they aren't sufficient, you can develop your Use Cases using the SPL.

Ciao.

Giuseppe  

View solution in original post

Reply
Solved! Jump to solution

GIA
Path Finder
‎12-02-2023 03:28 PM

Thanks a lot!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-02-2023 10:34 PM

Hi @GIA ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-30-2023 10:52 PM

Hi @GIA ,

I don't know at what step of the DC monitoring you are:

at first, you should take logs from your DCs using a Splunk Universal Forwarder.

On this UF you have to deploy the Splunk Add-On for Microsoft Windows (https://splunkbase.splunk.com/app/742), enabling all the stanzas.

Then you have to configure your UFs to send logs to a Splunk instance.

On this instance, you have to install the same Splunk Add-On for Microsoft Windows  and the Domain Controller Monitoring App for Splunk (https://splunkbase.splunk.com/app/6698).

This last app should give you some Use Cases for monitoring your DCs, if they aren't sufficient, you can develop your Use Cases using the SPL.

Ciao.

Giuseppe  

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...