Splunk® Enterprise

Add Microsoft Active Directory data: Distributed deployment with indexer clustering

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Configure your Microsoft Active Directory domain to generate audit events

Configure your Microsoft Active Directory devices to collect Active Directory event logs from Windows hosts that act as domain controllers (DCs) for supported versions of Windows Server.

Prerequisites

Before you configure your Microsoft Active Directory domain, complete the following prerequisites:

  • Verify user authentication. To perform any operations on remote Windows machines in your network, Splunk Enterprise must run as a user with credentials to access those machines.
  • Verify disk bandwidth. Make sure you have enough bandwidth to support Splunk Enterprise indexers and data.
  • Make sure that you configure any installed antivirus software to avoid monitoring Splunk Enterprise directories or processes, because such scans significantly reduce performance.
  • Verify shared hosts.

Configure Active Directory audit policy

Configure the Active Directory audit policy to allow the DCs in your Active Directory to generate the needed events for your Splunk platform deployment.

By default, Active Directory does not automatically audit certain security events. You must enable event auditing so that your domain controllers log them into the Security event log channel. Create a Group Policy Object (GPO) and deploy that GPO to all DCs in your AD environment. Once you activate the GPO, your DCs log these security events into the security event log.

Then, install universal forwarders as deployment clients to the DCs and deploy the appropriate Active Directory add-ons into those clients. They collect the logs and forward them to your Splunk platform indexers.

Create individual GPOs for both sets of settings. You can combine both the PowerShell and audit settings into a single GPO. Create and deploy these GPOs separately from other GPOs.

Security event auditing and indexing volume

When you enable auditing for the Security Event Log on your DCs, the DCs generate a lot of data. These events significantly increase indexing volume and might cause indexing license violations. You might also see decreased performance on your domain controllers based on how much additional data the servers generate.

If you are concerned about the impact that enabling security event auditing might have on your indexing volume, you can update policy settings to generate only the data that is important to you.

Enable auditing on Windows Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2

Perform the following tasks to enable auditing on your servers.

Create a new group policy object

  1. From the Windows Start menu, click Start > Administrative Tools > Group Policy Management.
  2. In the left pane, under Group Policy Management, expand the forest and domain for which you want to set a group policy.
  3. Right-click Group Policy Objects and select New.
  4. In the dialog window that opens, enter a unique name for your new group policy object GPO that you can remember in the Name field, and select None for the Source Starter GPO field.

Edit the GPO to change audit policy

If you are on a version earlier than 2008 R1, use following steps:

  1. Open the GPO for editing by right-clicking the newly created GPO in the Group Policy Objects window and selecting Edit.
  2. In the GPO editor, select Computer Configuration > Policies > Windows Settings > Security Settings > Local Policy > Audit Policy.
  3. Enable both Success and Failure auditing for the following policy settings:
    • Audit account logon events
    • Audit account management
    • Audit directory service access
    • Audit logon events
    • Audit object access
    • Audit policy change
    • Audit privilege use
    • Audit system events
  4. Close the Group Policy Object editor window to save your changes.

If you are using a version of 2008 R2 or newer, use the following steps:

  1. Open the GPO for editing by right-clicking the newly created GPO In the Group Policy Objects window and selecting Edit.
  2. In the GPO editor, select Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
  3. Enable both Success and Failure auditing of the following policy settings:
    • Audit account logon events
    • Audit account management
    • Audit directory service access
    • Audit logon events
    • Audit object access
    • Audit policy change
    • Audit privilege use
    • Audit system events
  4. Close the Group Policy Object editor to save your changes.

If you need help deciding which policies to enable, see the Microsoft documentation on audit policy recommendations. Otherwise, follow your organization's security requirements.

Deploy the GPO

  1. In Group Policy Management, in the left pane of the window, right-click on the Domain Controllers item and click Link an existing GPO..."
  2. Select the GPO you created.
  3. Click OK. The GPMC refreshes to show that your GPO is linked to the Domain Controllers organizational unit.

Configure PowerShell Execution policy in Active Directory

Configure your DCs to allow local execution of PowerShell scripts so that they can run on the Active Directory hosts in your AD environment.

The add-ons included in the Splunk App for Windows Infrastructure installation package contain PowerShell scripts that must run on the AD (DCs and DNS) hosts in your AD environment. You must configure your DCs to allow local execution of PowerShell scripts so that they can run.

To enable local execution of PowerShell scripts on your DCs:

  1. If necessary, download and install the Windows Management Framework from Microsoft's Support site.

    All versions of Windows Server 2008 SP2 (except Core) and Windows Server 2008 R2 have PowerShell installed by default. All versions of Windows Server 2012 have PowerShell 3.0 installed by default. You might need to install Windows Management Framework on Windows Server 2003 family computers.

  2. If necessary, download and install the Administrative Templates for Microsoft PowerShell from Microsoft.

    All versions of Windows Server 2008 (except Core) and later have the required templates for PowerShell installed.

  3. Create a new Active Directory GPO.
  4. Open the GPO for editing.
  5. In the GPO editor, select Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell.
  6. Right-click Turn on script execution, then select Edit.
  7. Cick the Enabled radio button.
  8. In the Execution Policy drop-down, select Allow local scripts and remote signed scripts.
  9. Click OK to accept the changes.
  10. Close the Group Policy Object editor to save your changes.
  11. Deploy the GPO.

GPO updates

Once you have deployed the GPOs, it can take up to 120 minutes before Active Directory applies the GPOs to the domain. If you want to deploy the GPOs faster, you must run the GPUPDATE /force command on every computer for which you want to update the GPOs.

Last modified on 27 August, 2021
Introduction   Install a universal forwarder on each Microsoft Active Directory host

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters