In the SA-LDAPSearch, the file is now called ldap.conf. http://docs.splunk.com/Documentation/ActiveDirectory/1.1.4/DeployAD/ConfiguretheSA-ldapsearchsupportingaddon ... View more

So basically what I said. ... View more

If this is your indexer, you can have the application installed on the main drive but have your indexes on a different drive. You can go in to the indexes.conf file and adjust the drive letter or path. More information on the indexes.conf file ... View more

No, that is fine. I have the Splunk Universal Forwarder on all my machines that are DC, DNS, and DHCP. They then send their logs to the central indexer. ... View more

The easiest way might be to install the universal forwarder on the servers that AD Manager Plus is on. Using the monitor feature in the inputs.conf file you would be able to grab the log files. Here would be an example for the inputs.conf file. [monitor://c:\program files\ADManagerPlus\logs\*\*.log] disabled = false followTail = 0 index = admanagerplus sourcetype=aduserlogs More on the inputs.conf file: http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf ... View more

The two thing I can see that is different from mine is your userBaseDN and groupBaseDN and then the commented out password. I use the same account in my environment. Here is an example of what I have in my authentication.conf file. userBaseDN = OU=IT,DC=my,DC=domain;CN=Users,DC=my,DC=domain;OU=Sales,DC=my,DC=domain groupBaseDN = OU=Security Groups,DC=my,DC=domain I list the OUs and not just the full domain. A couple things to try: List the OU/CNs in groupBaseDN/userBaseDN Take off filtering (groupBaseFilter / userBaseFilter) Uncomment the bindDNpassword and enter the service account's password ... View more

I have it on my CentOS 6.3 x64 machine. I have not seen any issues and my server has been running for almost a year now in production. I index around 15GB to 18GB per day. Here is what I did. vim /etc/sysconfig/network-scripts/ifcfg-bond0 vim /etc/sysconfig/network-scripts/ifcfg-em1 vim /etc/sysconfig/network-scripts/ifcfg-em2 vim /etc/modprobe.d/modprobe.conf modprobe bonding service network restart cat /etc/sysconfig/network-scripts/ifcfg-em2 DEVICE="em2" ONBOOT="no" USERCTL=no MASTER=bond0 SLAVE=yes BOOTPROTO=none cat /etc/sysconfig/network-scripts/ifcfg-em1 DEVICE="em1" ONBOOT="no" USERCTL=no MASTER=bond0 SLAVE=yes BOOTPROTO=none cat /etc/sysconfig/network-scripts/ifcfg-bond0 DEVICE="bond0" ONBOOT=yes TYPE=Ethernet BOOTPROTO=none IPADDR=10.10.10.10 PREFIX=24 GATEWAY=10.10.10.254 DNS1=10.10.10.20 DNS2=10.10.10.30 DOMAIN="mydomain.local" DEFROUTE=yes IPV4_FAILURE_FATAL=yes IPV6INIT=no ... View more

What are your LDAP settings? Mainly, what is your "User base DN" and "Group base DN"? I tend to create a specific Security Group for Splunk. I have for example Splunk - Admins, Splunk - Developers - Location 1, Splunk - Developers - Location 2, Splunk - Service Desk, etc. With that, make sure that a group the user is in is mapped to a specific role. Is the group showing up in the "Manager » Access controls » Authentication method » Configure Splunk to use LDAP and map groups » Map groups"? ... View more

Make sure that your opened the Splunk SSL port in the firewall. ... View more

I have never got that to work. ... View more

Do you mean XenApp and not XenServer? If you installed XenApp on a Unix/Linux system, according to the following article you need to add the user.info and user.notice to the syslog.conf file and then use the ctxcfg to configure the level of logging for the user connect/disconnect/reconnect/logoffs. http://support.citrix.com/proddocs/topic/ps-unix/ps-unix-deploy-event-logging.html ... View more

If you want to collect the logs from within XenServer: Open XenCenter and right click on the XenServer you want to configure to send syslog to Splunk and select Properties. Click on the Log Destination tab Select the Remote selection Enter the IP address of the Splunk server Select OK Repeat the above steps for all remaining XenServers If you want the server messages, you will need to edit the syslog.conf file. vi /etc/syslog.conf Add the details you want to send to Splunk. Below is an example. .crit;.emerg;.info;mail.;authpriv.;cron.;local6.* @splunk.localdomain W*ithin Splunk, you need to make sure to listen on UDP port 514 to capture Syslog traffic.* Open up Splunk and go to Manager Under Data, select Data inputs Under UDP, select Add new List item In UDP Port, type in 514. Under Source type, set the sourcetype to From list and then in the list choose syslog. List item Click Save ... View more

I am also getting this. ... View more

OMG! That is truely amazing! Thank you for putting the work in to this. ... View more

I would try to break up my deployment server at that level. In the past I have setup a deployment servers based on my data centers. You could setup a dns name and use a load balancer to point the forwarder to the correct server. ... View more

http://docs.splunk.com/Documentation/Splunk/latest/admin/indexesconf This is the documentation and examples of the indexes.conf file. Create a new indexes.conf in $SPLUNK_HOME/etc/system/local (c:\program files\splunk\etc\system\local\indexes.conf). From here you can change the path location of the indexes. Hope this helps! ... View more

Got any examples of the logs it is sending to Splunk? ... View more

Why not just use the Splunk for Windows in a light forwarder mode? This would allow you to send all the logs/data to Splunk without have the web interface on the host. Is there concerns about using the Splunk agent? ... View more

I believe this is more a limitation of your hardware than the Splunk software. I personally have easily done 150GB in a day of data. I there are customers out there that are doing around 1TB or more of data a day. ... View more

I typically download the rpm and then iussue: rpm -Uvh splunk-X.X.X-XXXXXX-linux-2.6-x86_64.rpm ... View more

Put that on the IIS server sending the logs (on the remote server). C:\Program Files\Splunk\etc\system\local\inputs.conf ... View more

Here is what I have in my inputs.conf file for IIS servers: [monitor://C:\WINDOWS\system32\LogFiles\W3SVC*\] disabled = false followTail = 0 recursive = true index=iis You will need to have an index on the indexer named iis or whatever value you put in the index field. ... View more

also from the canned reports in the app, you can view the results and then see the searches they run to get those reports to help learn and then build alerts. ... View more

Personally, I use Windows Security Operations Center. There is a lot of built in reports for users and groups being added and deleted. One of the dashboards I speed time each day looking at is accounts that were locked at and the NTLM and RDP failures. ... View more

I might be missing something but couldn't you echo the line you wanted in to the file? echo servername=%computername% > c:\program...\serverclass.conf ... View more