What we are trying to do is to monitor Active Directory GPO changes and eventually Windows DNS. We currently have the universal forwarder installed on 80+ DCs collecting windows events and have the appropriate auditing enabled.
I have been reading a lot about Splunk App for Windows Infrastructure and AD Monitoring which seem to be what we need, but I am still unclear on several things. I see that Splunk App for Windows Infrastructure is supported in Splunk Cloud, but the app looks to be actually unavailable. Does that mean we just get the data and we have to make our own dashboards or do we need specific lookup tables or .conf files that have to be on the cloud search head to use this data?
That app requires several other apps to be installed on the forwarders. Splunk Add-on for Windows, Splunk Add-on for MS Active Directory, and we have future needs for Splunk Add-on for Windows DNS. Have no idea if this needs to be installed on every DC or just one. Also does anyone know the additional impact to the system if these apps are installed?
Then we have AD Monitoring. Not entirely sure if this is needed, or is this all I need. Also never have seen any directions on how to get this to work from just a forwarder, but in the description from the Splunk documents it should be possible.
Basically I am not sure just what I need installed where and how do I get this data in a usable format to Splunk Cloud.
I think I have a much better understanding on all of this.
So about the system utilization. I finally got the answer from Splunk about this. They are very hesitant to say how enabling AD Monitoring will impact a DC, but the best answer I got is you can expect a 40-80Mb RSS on the memory side and 3-5% CPU utilization, depending on how busy your domain controller is.
Still have one question that seems inconsistent though. I have read that you need to run the Splunk Service with a Domain Admin account in order to capture all additions, changes, and deletions. If I just use the system account I would only get additions and change information. I have not consistently seen this though as an answer. Will the local SYSTEM account be adequate to run this or does the service need to run as a different user?
Some customers object to using 'local system' account as that has a lot of privileges and against their security polices. I would prefer using a 'domain user', so we can control the access/privileges to it.