Splunk Search

Splunk Add-on for Microsoft Windows - Remote Active Directory domain

BrendanCO
Path Finder

Hi. So I'm reading about this Add-on and the instructions seem to be pretty straightforward about getting the Add-on installed on my search head and indexer. What I have are Domain Controllers on a network that is not local. I have a universal forwarder (Ubuntu) on site there which is forwarding Palo Alto logs via syslog-ng. 

My question is this. What do I need to install on a Domain Controller on the remote network to get it to gather Active Directory and forward to the indexer either directly or via the universal forwarder? 

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

You have to have access to the event log you want to pull your logs from. There are several possible approaches.

1. Typically you install Universal Forwarder on your Domain Controller and it pullsthe events from local event logs.

But this approach might not be well received by your security and IT guys - installing additional software on DC's is not something taken lightly.

2. You might use windows event forwarding to push or pull (depending on your deployment mode) the logs to another windows server and get the events from there.

3. You can install UF on a domain computer from which you'd query DC's event logs with WMI.

You can also try some third party tools like solarwinds syslog but they will give you events in strange formats which will now directly work with Windows Add-On and will need some conversion.

 

BrendanCO
Path Finder

Ok, I see on the install it asks for local, domain or virtual account. Then on the next screen there is an Active Directory Monitoring check box. Is that it? Also, do I need the user for the UF to be a Domain Account? Admin?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

To be fully honest, I'm not that good with Windows, especially domains to tell you what user exactly you need to run UF on DC. It needs to be able to read the event logs so usually Local System is good enough, but for some it has too big permissions so they use another account with more tailored permissions and privileges.

0 Karma

BrendanCO
Path Finder

I do like the idea of installing the UF on a Domain Controller. I've seen it is not a heavy load on the server itself. During setup it asks what logs to gather and send along. Is that where I will have options that include AD logs and such? That's the part I'm not sure of. Does the UF specifically give the option to send along AD info.

I can ensure safe passage from the DC to the Splunk Indexer at AWS...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...