I'm trying to capture Active Directory information from an AD server. I installed an universal forwarder in this server, and using deployment server I configured an input.conf as the manual example:
targetDc = pri01.eng.ad.splunk.com
startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com
My search head and my indexers are Linux Centos 7.
My question: Is the universal forwarder enough to accomplish active directory data extraction? or should I install a Heavy Forwarder.
Documentation refers to a splunk-admon.exe process? is this process included in the universal forwarder?.
Yes, a UF can monitor AD. Your Linux servers are fine. This documents gives you everything you need:
If you are monitoring multiple AD system then pay attention to the baseline parameter mentioned in the above doc.
View solution in original post
Thanks. It was useful.
I'm receiving a low amount of events (I think), like 50 or 60 per hour... This server manage around a 1000 accounts. There is some configuring that I need to do in my AD server to receive more data?