Splunk Search

Splunk Add-on for Microsoft Windows - Remote Active Directory domain

BrendanCO
Path Finder

Hi. So I'm reading about this Add-on and the instructions seem to be pretty straightforward about getting the Add-on installed on my search head and indexer. What I have are Domain Controllers on a network that is not local. I have a universal forwarder (Ubuntu) on site there which is forwarding Palo Alto logs via syslog-ng. 

My question is this. What do I need to install on a Domain Controller on the remote network to get it to gather Active Directory and forward to the indexer either directly or via the universal forwarder? 

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

You have to have access to the event log you want to pull your logs from. There are several possible approaches.

1. Typically you install Universal Forwarder on your Domain Controller and it pullsthe events from local event logs.

But this approach might not be well received by your security and IT guys - installing additional software on DC's is not something taken lightly.

2. You might use windows event forwarding to push or pull (depending on your deployment mode) the logs to another windows server and get the events from there.

3. You can install UF on a domain computer from which you'd query DC's event logs with WMI.

You can also try some third party tools like solarwinds syslog but they will give you events in strange formats which will now directly work with Windows Add-On and will need some conversion.

 

BrendanCO
Path Finder

Ok, I see on the install it asks for local, domain or virtual account. Then on the next screen there is an Active Directory Monitoring check box. Is that it? Also, do I need the user for the UF to be a Domain Account? Admin?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

To be fully honest, I'm not that good with Windows, especially domains to tell you what user exactly you need to run UF on DC. It needs to be able to read the event logs so usually Local System is good enough, but for some it has too big permissions so they use another account with more tailored permissions and privileges.

0 Karma

BrendanCO
Path Finder

I do like the idea of installing the UF on a Domain Controller. I've seen it is not a heavy load on the server itself. During setup it asks what logs to gather and send along. Is that where I will have options that include AD logs and such? That's the part I'm not sure of. Does the UF specifically give the option to send along AD info.

I can ensure safe passage from the DC to the Splunk Indexer at AWS...

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...