Getting Data In

Pulling data from non-domain machines

netmd
New Member

I have Splunk set up and working for all servers on my domain but I'm not understanding exactly how to to get non-domain machines included. I have a few dozen machines (all in different locations, none in any domain) that I need to get added. I've seen a bit on using forwarders to potentially pull it off but I'm not seeing how it's done. And yes, I'm extremely new to Splunk.

I'd guess I could set up local accounts on every single machine that all have the same credentials but that's not possible in the environment I'm working in.

Tags (1)
0 Karma

Lowell
Super Champion

Splunk doesn't require any domain membership of any kind. Simply setup forwarders on each machine you want splunk to collect events on, and simply forward them all to one central splunk instance.

There is no authentication or authorization required between forwarders and the indexers (receivers).

If you are collecting logs over remote shares, then that's the only time I can think of when domain credentials are needed. And really that's not a splunk thing at all, it's just that a windows service needs to to run as a non-system user in order for it to access remote shares; but that's not the ideal splunk setup. Using individual forwarders is recommended.


Related docs:

http://www.splunk.com/base/Documentation/latest/Admin/Enableforwardingandreceiving

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...