Solution - If you want to Send On-Prem Windows Defender AV DATA to On Splunk, we need to send it to Splunk Enterprise via DB Connect. Also below solution will work when we are doing Windows Authentication against the database, please follow the below steps, on Ubuntu to set up the connection Follow the steps @ https://docs.splunk.com/Documentation/DBX/3.5.1/ReleaseNotes/Releasenotes install DB Connect DBX 3.4.2 software via Splunkbase, or browse more apps and download from there. Now it comes to installing Java on Splunk DB-Connect, 1st check if java is already installed on the server, for that type java – version, if java is not installed follow Run sudo apt update sudo apt install default-jre sudo apt install openjdk-11-jre-headless Validate Java is installed and running in server mode with java -version It should look something like this: $ java -version openjdk version "11.0.7" 2020-04-14 OpenJDK Runtime Environment (build 11.0.7+10-post-Ubuntu-3ubuntu1) OpenJDK 64-Bit Server VM (build 11.0.7+10-post-Ubuntu-3ubuntu1, mixed mode, sharing) Set the JAVA_HOME Environment Variable OpenJDK 11 is located at /usr/lib/jvm/java-11-openjdk-amd64 Set the variable globally by adding JAVA_HOME="/usr/lib/jvm/java-11-openjdk-amd64" to /etc/environment. Save and exit VIM Type reboot to reboot the Ubuntu machine. Now Access to Db Connect – Configuration – settings – General – in JRE Installation Path, enter /usr/lib/jvm/java-11-openjdk-amd64 Hit Save and let DB Connect Ap detect the JAVA. Now it comes for Java Drivers Since you have installed java version 11, we need to install Java Drivers 11 Install 8.2.1 already tested JDBC Ms Generic Driver from https://docs.microsoft.com/en-us/sql/connect/jdbc/release-notes-for-the-jdbc-driver?view=sql-server-... Install JTDC JDBC drivers from https://sourceforge.net/projects/jtds/files/ (link is mentioned in Splunk Documentation) Both are required as for Windows Authentication we will be doing a mix of them Now Access to Db Connect – Configuration – settings – Drivers – Click Reload and you should see 8.2 Generic and 1.3 JTDS drivers Reboot the Splunk Ubuntu Server. Now it comes to Setting up the Identity in DB Connection – Configuration – Database – Identities Identity Name – Any user-friendly name Username – Account which will have access to the Database Password – Password of that account Check Use Windows Authentication Domain Enter the Domain Hit Save Now it comes to Setting up the Connection in DB Connection – Configuration – Database – Connections This is the most tricky part Connection Name – Any user-friendly name Identity – Select the account, which will do authentication against a database Connection Type – MS-SQL Server Using JTDS Driver with Windows Authentication Timezone – appropriate Timezone JDBC URL Setting Enter the manauyl JDBC URL - jdbc:jtds:sqlserver://serverIP:1433/databasename;useCursors=true;domain=domainname;useNTLMv2=true Advance Read only - checked Now Make a database connection and send it to the Index created on Splunk Cloud.
... View more