![]() ![]() If you do not specify a domain controller, then the input does the following:.You can specify a domain controller either with the targetDc setting in nf or the Target domain controller field in Splunk Web. If you specify a domain controller when you define the input, then the input uses that domain controller for AD operations.The AD monitor uses the following logic to interact with Active Directory after you set it up: When you set up an AD monitoring input, the input connects to an AD domain controller to authenticate and, if necessary, performs any security ID (SID) translations while it gathers the AD schema or changes events. The permissions that the user has determine which parts of AD Splunk can monitor.įor information on deciding which user Splunk Enterprise runs as at installation time, see Choose the Windows user Splunk Enterprise should run as in the Installation Manual.The user that Splunk Enterprise runs as must also be part of the domain.The host that monitors changes to AD must belong to the domain or forest you want to monitor.The AD monitoring process can run under a full instance or on any kind of forwarder.While you cannot monitor AD changes from a *nix version of Splunk Enterprise, you can forward AD data from a Windows version of Splunk Enterprise or the universal forwarder to a *nix indexer.Splunk Cloud Platform cannot monitor AD directly. The AD monitor is only available on the Splunk platform on Windows.Technical considerations for monitoring Active Directoryįor best results with monitoring AD, note the following considerations: The user Splunk Enterprise runs as must have read access to all AD objects that you want to monitor.See Choose the Windows user Splunk Enterprise should run as in the Installation Manual. Splunk Enterprise must run as a domain user.See Install on Windows in the Installation Manual. Splunk Enterprise must run on Windows.You must meet the following requirements to monitor an Active Directory schema: Additionally, you can create health reports with the data indexed for future AD infrastructure planning activities, such as assignment of operations master roles, AD replicas, and global catalogs across DCs. You can also use the data retrieved for intrusion alerts for immediate response. You can transform this data into reports for corporate security compliance or forensics, for example. With Splunk Enterprise, you can monitor what and when things changed in your AD and who changed them. If you maintain the integrity, security, and health of your Active Directory, then what happens with it day to day is a concern. It runs once for every Active Directory monitoring input you define in Splunk Enterprise. The AD monitoring input runs as a separate process called splunk-admon.exe. It uses this snapshot to establish a starting point for monitoring. See About lookups in the Knowledge Manager Manual.Īfter you configure Splunk Enterprise to monitor your Active Directory, it takes a baseline snapshot of the AD schema. You can use this feature combined with dynamic list lookups to decorate or modify events with any information available in AD. You can configure AD monitoring to watch for changes to your Active Directory forest and collect user and machine metadata. On Splunk Enterprise, you can also use the universal forwarder, or you can Install Splunk Enterprise directly onto a Windows machine and collect the AD data that way. If you use Splunk Cloud Platform, you must use the Splunk Universal forwarder to collect Active Directory data from a Windows domain controller or member machine and forward that data to Splunk Cloud Platform. You can use Splunk Enterprise to record changes to AD, such as the addition or removal of a user, host, or domain controller (DC). The Active Directory (AD) database, also known as the NT Directory Service (NTDS) database, is the central repository for user, computer, network, device, and security objects in a Windows AD domain or forest.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |