Hi. So I'm reading about this Add-on and the instructions seem to be pretty straightforward about getting the Add-on installed on my search head and indexer. What I have are Domain Controllers on a network that is not local. I have a universal forwarder (Ubuntu) on site there which is forwarding Palo Alto logs via syslog-ng.
My question is this. What do I need to install on a Domain Controller on the remote network to get it to gather Active Directory and forward to the indexer either directly or via the universal forwarder?
You have to have access to the event log you want to pull your logs from. There are several possible approaches.
1. Typically you install Universal Forwarder on your Domain Controller and it pullsthe events from local event logs.
But this approach might not be well received by your security and IT guys - installing additional software on DC's is not something taken lightly.
2. You might use windows event forwarding to push or pull (depending on your deployment mode) the logs to another windows server and get the events from there.
3. You can install UF on a domain computer from which you'd query DC's event logs with WMI.
You can also try some third party tools like solarwinds syslog but they will give you events in strange formats which will now directly work with Windows Add-On and will need some conversion.
Ok, I see on the install it asks for local, domain or virtual account. Then on the next screen there is an Active Directory Monitoring check box. Is that it? Also, do I need the user for the UF to be a Domain Account? Admin?
To be fully honest, I'm not that good with Windows, especially domains to tell you what user exactly you need to run UF on DC. It needs to be able to read the event logs so usually Local System is good enough, but for some it has too big permissions so they use another account with more tailored permissions and privileges.
I do like the idea of installing the UF on a Domain Controller. I've seen it is not a heavy load on the server itself. During setup it asks what logs to gather and send along. Is that where I will have options that include AD logs and such? That's the part I'm not sure of. Does the UF specifically give the option to send along AD info.
I can ensure safe passage from the DC to the Splunk Indexer at AWS...