All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Configure Splunk for Active Directory

amarzi
New Member
‎08-13-2012 08:52 AM

I am attempting to follow the online documentation/PDF for configuring my AD forwarder, but am having some trouble.

When customizing the index names in the .conf files, where in my Splunk install can I find these? Does anyone know the default index names that would have been used?

I installed the Splunk portion on my Kubuntu linux receiver a couple of weeks ago, and now am trying to configure the DC in my new DEV AD environment for Windows testing.

Thank you for any replies/help in advance

0 Karma
Reply

ajaypal01111992
New Member
‎11-26-2013 08:18 AM

hi all, i have configured splunk app for active directory. i am getting row data from active directory.

But when i am going through splunk app for AD there i can not see any kind of log, event, or data.

my configuration...

  1. Universal forwarder is installed in Active directory. with the correct port number 9997. As well as WMI is also correctly configured.

  2. Splunk 5 (receiver) is installed in one machine. and active directory app is also installed in same splunk instance.

  3. user have full access.

  4. but still i am not getting data.

please help me to solve this.

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎08-13-2012 09:39 AM

Are you just trying to assign the right index for the inputs.conf on the forwarder? The indexes in the app are msad, perfmon, and winevents and you'll find them defined on your splunk server in Splunk_for_ActiveDirectory/default/indexes.conf. If you need to create your own indexes you'll have some work to do but you can define those through the UI as well.

From the readme.txt file.

Configuring Indices

By default, the Splunk_TA_windows logs events into the main index. The TAs for Splunk App for
Active Directory log events into one of three indices:

* perfmon       = All performance data
* winevents     = All Windows Event Log data
* msad          = Everything else

If you decide on a different indexing scheme, you will need to create the indices, adjust the
inputs.conf on the TAs before deployment. In addition, you will need to adjust eventtypes.conf
and macros.conf for the new index locations.

0 Karma
Reply

malmoore
Splunk Employee
Splunk Employee
‎08-22-2012 10:13 AM

That typo has since been fixed.

0 Karma
Reply

amarzi
New Member
‎08-13-2012 11:52 AM

does anyone know where this went to?

  1. Download (http://splunk-base.splunk.com/apps/Splunk+support+for+active+directory) the new SA-ldapsearch supporting add-on and unpack it to an accessible location.

Important: The SA-ldapsearch supporting add-on replaces the Perl LDAP commands that come with the Splunk App for Active Directory.

0 Karma
Reply

amarzi
New Member
‎08-13-2012 10:12 AM

I'm trying to configure the admon.conf, perfmon.conf and inputs.conf as shown in
http://docs.splunk.com/Documentation/ActiveDirectory/latest/DeployAD/Configureanddeploythetechnicala...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...