Hi,
I found that in order to make splunk able to read Event Log remotely, or read network shares for log files, I have to use a domain account, an active directory.
1) I need to know whay we must use AD??
2) There is an other way to do it with out the use of AD.
For me, I don't use AD!!
Any solutions!!!
That is just the way services work on Windows. Splunk's service (splunkd) must be running as a user that has permission to access the Event Log service on remote devices. Similarly, windows file shares require that the service accessing the share have the appropriate credentials.
If you aren't using AD, then you just need to make sure that the user the Splunk services are running as (let's say 'splunk_service_account') exists on the remote boxes that you are attempting to access and has the same password on those machines. Furthermore, the user account should have at least read permission on the file share and must be in the Administrator group on the remote machines to read Event Logs.
Also, just in-case you aren't aware you can also use something called the Universal Forwarder to forward windows event logs back to your indexer. Basically instead of pulling them remotely you can install a small agent (the Universal Forwarder) on each windows box and configure it to forward the event logs to the remote indexer. This is quite a safe and fairly common way to get the event logs into Splunk.
The beauty of this approach is you can also do some basic filtering of what you want before it reaches the indexer so you aren't necessarily just throwing everything at the indexer.
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Introducingtheuniversalforwarder
That is just the way services work on Windows. Splunk's service (splunkd) must be running as a user that has permission to access the Event Log service on remote devices. Similarly, windows file shares require that the service accessing the share have the appropriate credentials.
If you aren't using AD, then you just need to make sure that the user the Splunk services are running as (let's say 'splunk_service_account') exists on the remote boxes that you are attempting to access and has the same password on those machines. Furthermore, the user account should have at least read permission on the file share and must be in the Administrator group on the remote machines to read Event Logs.