Currently debating installing Splunk on all Domain Controllers. Have a back and forth with my colleagues and security team as to if there is a real need for Splunk to be on all DC's. Currently using Splunk 6.5.1 on 6 DC's within 2 sites out of 11 DC's within 4 sites.
Debate is that it should only be installed on the PDC, however others say it should be installed on all. Any suggestions greatly appreciated.
I hope you mean you install Splunk Universal Forwarders (SUF) on your DCs rather than Splunk Core.
I think the decision comes down to what behavior you want when a DC not logging to Splunk becomes primary. When a secondary DC takes over as primary, it should would be nice to have that event logged in Splunk, which probably won't happen if not all DCs run SUF. Also, whatever dashboards or alerts you have will continue to function uninterrupted if the new PDC is already logging to Splunk.
I hope you mean you install Splunk Universal Forwarders (SUF) on your DCs rather than Splunk Core.
I think the decision comes down to what behavior you want when a DC not logging to Splunk becomes primary. When a secondary DC takes over as primary, it should would be nice to have that event logged in Splunk, which probably won't happen if not all DCs run SUF. Also, whatever dashboards or alerts you have will continue to function uninterrupted if the new PDC is already logging to Splunk.
Thanks. on to battle.
Appreciate the feed back.
-Mike
Thanks, Splunk agent is the only thing running on a few Domain Controllers. Ultimately would like to put on all remaining DC but the pushback from the team is why? The team thinks that running splunk agent on the PDC is enough. Other than the reason of what if you move PDC to another it will log uninterrupted, i find myself having a hard time justifying why Splunk agent should be on all.
As i understand, Most events are replicated across all Domain Controllers for Authentication purposes of a domain but security events as i understand dont. I am in favor of adding Splunk agent more so because of security events in this day and age.
Appreciate your info.
Thanks
Your security concerns are well-founded. An attacker on your SDCs might go unnoticed without Splunk logging.