Splunk and Active Directory

molinarf · ‎07-26-2017

I am currently trying to use Splunk to parse data from our Active Directory. I have currently loaded the Apps:

Splunk Add-on for Microsoft Active Directory 2.1.4
Splunk Supporting Add-On for Active Directory 1.0.0
Splunk Add-on for Microsoft DNS 1.0.1
Splunk Add-on for Windows infrastructure 1.4.1
Splunk Add-on for Microsoft Windows 4.8.4

What I am struggling with since there is no clear instruction set is how to get the data that is relevant to Active Directory. I have only been able to find Splunk® App for Active Directory (Legacy) documentation. Does any one have ideas to help me get the last few steps into providing this type of data for my customer?

Running:
Windows Server 2012 R2
16 Cores (Physical) 32 Cores (Virtual)
262 GB memory
Splunk 6.6.2

skalliger · ‎07-26-2017

Hi,

I am not really a big fan of the MS addons. I would recommend to use Universal Forwarders, if possible. That's also what Splunk recommends these days (atleast what I heard in the last meeting): try to use a UF to get your data and if you can't, try to use an addon for the task.

What kind of logs are you trying to get? Event logs? There are quite a few examples in the documentation: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#WINDOWS_INPUTS:

Skalli

Edit: typo

Splunk and Active Directory

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes