Getting Data In

Monitor Active Directory With Linux Indexer

cjaramilloc
Explorer

Hello,

I'm trying to capture Active Directory information from an AD server. I installed an universal forwarder in this server, and using deployment server I configured an input.conf as the manual example:

[admon://DefaultTargetDc]
targetDc = pri01.eng.ad.splunk.com
startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com

My search head and my indexers are Linux Centos 7.

My question: Is the universal forwarder enough to accomplish active directory data extraction? or should I install a Heavy Forwarder.

Documentation refers to a splunk-admon.exe process? is this process included in the universal forwarder?.

1 Solution

kbrown_splunk
Splunk Employee
Splunk Employee

Yes, a UF can monitor AD. Your Linux servers are fine. This documents gives you everything you need:

http://blogs.splunk.com/2014/01/27/working-with-active-directory-on-splunk-universal-forwarders/

If you are monitoring multiple AD system then pay attention to the baseline parameter mentioned in the above doc.

View solution in original post

kbrown_splunk
Splunk Employee
Splunk Employee

Yes, a UF can monitor AD. Your Linux servers are fine. This documents gives you everything you need:

http://blogs.splunk.com/2014/01/27/working-with-active-directory-on-splunk-universal-forwarders/

If you are monitoring multiple AD system then pay attention to the baseline parameter mentioned in the above doc.

cjaramilloc
Explorer

Thanks. It was useful.
I'm receiving a low amount of events (I think), like 50 or 60 per hour... This server manage around a 1000 accounts. There is some configuring that I need to do in my AD server to receive more data?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!