Pulling data from non-domain machines

netmd · ‎10-13-2010

I have Splunk set up and working for all servers on my domain but I'm not understanding exactly how to to get non-domain machines included. I have a few dozen machines (all in different locations, none in any domain) that I need to get added. I've seen a bit on using forwarders to potentially pull it off but I'm not seeing how it's done. And yes, I'm extremely new to Splunk.

I'd guess I could set up local accounts on every single machine that all have the same credentials but that's not possible in the environment I'm working in.

Lowell · ‎10-13-2010

Splunk doesn't require any domain membership of any kind. Simply setup forwarders on each machine you want splunk to collect events on, and simply forward them all to one central splunk instance.

There is no authentication or authorization required between forwarders and the indexers (receivers).

If you are collecting logs over remote shares, then that's the only time I can think of when domain credentials are needed. And really that's not a splunk thing at all, it's just that a windows service needs to to run as a non-system user in order for it to access remote shares; but that's not the ideal splunk setup. Using individual forwarders is recommended.

Related docs:

http://www.splunk.com/base/Documentation/latest/Admin/Enableforwardingandreceiving

Pulling data from non-domain machines

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life