I am currently trying to use Splunk to parse data from our Active Directory. I have currently loaded the Apps:
Splunk Add-on for Microsoft Active Directory 2.1.4
Splunk Supporting Add-On for Active Directory 1.0.0
Splunk Add-on for Microsoft DNS 1.0.1
Splunk Add-on for Windows infrastructure 1.4.1
Splunk Add-on for Microsoft Windows 4.8.4
What I am struggling with since there is no clear instruction set is how to get the data that is relevant to Active Directory. I have only been able to find Splunk® App for Active Directory (Legacy) documentation. Does any one have ideas to help me get the last few steps into providing this type of data for my customer?
Running:
Windows Server 2012 R2
16 Cores (Physical) 32 Cores (Virtual)
262 GB memory
Splunk 6.6.2
Hi,
I am not really a big fan of the MS addons. I would recommend to use Universal Forwarders, if possible. That's also what Splunk recommends these days (atleast what I heard in the last meeting): try to use a UF to get your data and if you can't, try to use an addon for the task.
What kind of logs are you trying to get? Event logs? There are quite a few examples in the documentation: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#WINDOWS_INPUTS:
Skalli
Edit: typo