Splunk Enterprise

Help on AD monitoring with Splunk

jip31
Motivator

Hi

I try to list the different way to collect Active Directory in Splunk

Except if I am mistaken there is 2 main way to do that :

  1. Using the Splunk Supporting Add-on for Active Directory:  https://splunkbase.splunk.com/app/1151/ 
  2. Using the splunk-admon.exe process 

Is it true? What are the advantages and disadvantages of these solutions please?

Is it also possible to install a connector between Splunk and AD in order to store the AD events in a KV Store?

Thanks in advance

Labels (1)
Tags (1)
0 Karma
1 Solution

shivanshu1593
Builder

I believe you can query AD using SQL commands, so technically it is possible. I'd consult with the server team and see if they are okay with it. 

To pipe the data into a KVStore using DBconnect is a big pain in the rear end. You'll have to do the following:

1. Create a search using dbquery command and get the desired output from AD forest.

2. Use outputlookup to put the data into KVStore.

3. Save the search as scheduled search to keep the process going.

Hope this helps.

Thank you,

S

***If this helped, please accept it as a solution. It helps others to find the solution for similar issues quickly.***

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

0 Karma

shivanshu1593
Builder

Hi @jip31 ,

Splunk recommends using the Active Directory add on. It's much faster, efficient and easy to debug, if you encounter issues on it.

It gives you a connection with the AD forest. After that, all you need to do is to configure a simple search to query the data and outputlookup into a KVStore lookup, just what you're looking for.

Hope this helps.

Thanks,

S

***If this helped, please accept it as a solution. It helps others to find the solution for similar issues quickly.***

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

jip31
Motivator

Hi

Thanks for your explanation on Active Directory add on

Just another question 

Is it also possible to use a DB connect and to link it with the AD forest and to export events in a KV Store lookup?

0 Karma

shivanshu1593
Builder

I believe you can query AD using SQL commands, so technically it is possible. I'd consult with the server team and see if they are okay with it. 

To pipe the data into a KVStore using DBconnect is a big pain in the rear end. You'll have to do the following:

1. Create a search using dbquery command and get the desired output from AD forest.

2. Use outputlookup to put the data into KVStore.

3. Save the search as scheduled search to keep the process going.

Hope this helps.

Thank you,

S

***If this helped, please accept it as a solution. It helps others to find the solution for similar issues quickly.***

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Get Updates on the Splunk Community!

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...