Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible for Windows event logs to be flagged up on the Active Directory and passed to a Splunk server via universal forwarder?

SecureIA
Path Finder
‎11-10-2015 05:15 AM

I have been assigned with the task of implementing Splunk on my company network. I have Syslog communication with my server with no problems, but I would like to have my Windows devices communicating to Splunk.

Using the Universal Forwarder on my Active Directory server will show changes to the Active Directory config. However, my ultimate aim is to show logs from all the Windows devices on my network.

As an example, I would like to determine whether one of the Users or Computers in my domain has changed their Windows Firewall settings, or whether they have locked their account. I have installed the Universal Forwarder on my AD, and have also set up a Group Policy Object to audit events based upon what I need. My results so far is that only changes to my AD are being logged, such as the creation of a new OU, GPO or User.

Is there any possibility for my Windows Events to be flagged up on the AD and passed to my Splunk Server through the forwarder?
Additionally, does the server running Splunk have to reside on the same domain as the AD and Windows Devices?

0 Karma
Reply

spayneort
Contributor
‎11-14-2015 02:49 PM

You can use event log forwarding to send the events from all Windows devices to one server. Then you can install a Splunk forwarder on that server to collect the events.

http://blogs.splunk.com/2014/02/03/forwarding-windows-event-logs-to-another-host/

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...