All Apps and Add-ons

What should I put in Powershell add-on Inputs.conf ?

gph12
Explorer

I'm relatively new to Splunk and some advice on deploying apps. I need to deploy the Windows Infrastructure App to get DNS logs into Splunk. That apps requires the Powershell add-on on the server and deploy it to the Universal Forwarder on the domain controllers.

I've installed the Powershell app on the Splunk server. Before deploying to the Universal Forwarder, I need to configure the inputs.conf file. There's nothing I actually want from this. I'm only installing it so I can proceed with Windows Infrastructure App. I presume I need to log something but I don't know that for a fact. What do you recommend I put in this file?

Also, the installation instructions for the Powershell add-on were not as specific as the Windows add-on. Do I need to create a new index for the Powershell app?

Thanks

0 Karma
1 Solution

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi gph12

You don't actually need the Powershell add-on to get DNS logs into Splunk. There is a requirement to have the Powershell add-on installed if you want to get Active Directory topology information from a Windows Server 2012 R2 . Even if this is the use case, the Windows Infrastructure app would work without this information.

There is documentation on how to configure the DNS Add-on for the Window Infrastructure app here:
http://docs.splunk.com/Documentation/MSApp/latest/MSInfra/DownloadandconfiguretheSplunkAdd-onsforWin...

It involves placing the pre-configured add-on package on the forwarder. You can either use the default inputs or modify them to your needs.

Let me know how you get along.

j

View solution in original post

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi gph12

You don't actually need the Powershell add-on to get DNS logs into Splunk. There is a requirement to have the Powershell add-on installed if you want to get Active Directory topology information from a Windows Server 2012 R2 . Even if this is the use case, the Windows Infrastructure app would work without this information.

There is documentation on how to configure the DNS Add-on for the Window Infrastructure app here:
http://docs.splunk.com/Documentation/MSApp/latest/MSInfra/DownloadandconfiguretheSplunkAdd-onsforWin...

It involves placing the pre-configured add-on package on the forwarder. You can either use the default inputs or modify them to your needs.

Let me know how you get along.

j

View solution in original post

gph12
Explorer

Thanks for the information. That helps. I will proceed tomorrow and let you know the result.
G

0 Karma

gph12
Explorer

J, that worked out well for me. I deployedthe DNS app to a DC\DNS server and am now getting what I need.

The AD options in Splunk also look interesting and I may deploy that. I have the Powershell app installed on the Splunk server. Will I need to deploy that to a domain controller?

Thanks,
G

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

For AD Splunk will get most of its data from the standard Windows Add-on (Splunk_TA_windows) as well as from the DC add-ons that are bundled with the Splunk App for Windows Infrastructure. Install one of these add-ons that macthes your DC version (TA-DomainController-2012R2, TA-DomainController-NT5 and TA-DomainController-NT6) . If you have a DC 2012R you also need to install the Powershell add-on as a requisite. You can see the install guide for Splunk App for Windows Infrastructure under Active Directory for this. Powershell is mainly used to get topology and health and not the actual authentication events.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!