I am very new to SPLUNK, If some one could help me on 2 issues I am having with Deploying Splunk for Active Directory Auditing.
some background of the Environment is = Windows 2012 Standard, Active Directory Forest and domain levels are 2008,
Auditing is turned on and logged in security logs in each domain controller, have about 100 domain controllers.
Splunk version is Splunk Enterprise 6.5.3.
Issue#1- Having issue installing splunkforwarder-6.5.3-36937ad027d4-x64-release.msi on windows 2012 standard domain controller. The installer starts normal, key in Splunk IP Address etc, copy file progress to about 75% and stops for ever. while installer is frozen for long itme, I see Splunkforwarder Service can be seen but not started I can start it. All looks normal, can see client registered in the splunk server. But as soon as the domain controller is rebooted, the Universal Forwarder gets Uninstalled. Bin directory empty and Splunkforwarder service throw error "cannot start fine not found.
This version should be supported on windows 2012 and windows 2012 R2.
Issue#2
I find multiple documents for Splunk for Active directory Auditing, Can some one point me to right one?
https://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/DeploytheSplunkAdd-onsforActiveDirectory
AND
http://docs.splunk.com/Documentation/MSExchange/3.4.1/DeployMSX/DeploytheSplunkAdd-onsforActiveDirectory
AND
http://docs.splunk.com/Documentation/ActiveDirectory/1.2.2/DeployAD/Deploymentprocess
Thanks a lot
regards
... View more