Splunk® Add-on for Microsoft Active Directory

Install and use the Splunk Add-on for Microsoft Active Directory

Download manual as PDF

Download topic as PDF

Install the Splunk Add-on for Microsoft Active Directory

  1. Get the Splunk Add-on for Microsoft Active Directory by downloading it from https://splunkbase.splunk.com/app/3207 or browsing to it using the app browser within Splunk Web.
  2. Determine where and how to install this add-on in your deployment, using the tables on this page.
  3. Perform any prerequisite steps before installing, if required and specified in the tables below.
  4. Complete your installation.

These add-ons have been specifically created for use with the Splunk Apps for Microsoft Exchange and Windows Infrastructure. There are specific installation instructions for these add-ons for use with those apps:

Splunk App for Microsoft Exchange

Splunk App for Windows Infrastructure

You can also use the add-on to collect Active Directory data outside of these apps. For best results, however, you must configure your Windows Active Directory and DNS environments for increased logging.

Distributed deployments

Use the tables below to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you use forwarders to get your data in. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.

Where to install this add-on

Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.

These tables provides a reference for installing this specific add-on to a distributed deployment of Splunk Enterprise.

Splunk Add-on for Microsoft Active Directory

Splunk platform instance type Supported Required Actions required / Comments
Search Heads Yes Yes Install this add-on to one or more search heads that are also domain controllers and where Active Directory knowledge management is required.
Indexers Yes No Install this add-on to indexers only if they are also domain controllers and Active Directory knowledge is required. If you use a universal or light forwarder for data collection, install the add-on to your indexers.
Heavy Forwarders Yes See comments All forwarder types are supported. The forwarder needs to be installed directly on the domain controller for Active Directory monitoring.
Universal Forwarders Yes
Light Forwarders Yes

Distributed deployment feature compatibility

This table provides a quick reference for the compatibility of this add-on with Splunk distributed deployment features.

Distributed deployment feature Supported Comments
Search Head Clusters Yes You can install this add-on on a search head cluster for all search-time functionality, but configure inputs on forwarders to avoid duplicate data collection.

Before you install this add-on to a cluster, remove the eventgen.conf file and all files in the samples folder.

Indexer Clusters Yes Before you install this add-on to a cluster, remove the eventgen.conf file and all files in the samples folder.
Deployment Server Yes Supported for deploying the configured add-on to multiple nodes. This is a Splunk best practice and the Splunk Apps for Microsoft Exchange and Windows Infrastructure use a deployment server to facilitate easier installation.

Installation walkthroughs

The Splunk Add-Ons manual includes an Installing add-ons guide that helps you successfully install any Splunk-supported add-on to your Splunk platform.

For a walkthrough of the installation procedure, follow the link that matches your deployment scenario:

PREVIOUS
Hardware and software requirements for the Splunk Add-on for Microsoft Active Directory
  NEXT
Configure the Splunk Add-on for Microsoft Active Directory

This documentation applies to the following versions of Splunk® Add-on for Microsoft Active Directory: 1.0.0, 1.0.1


Comments

@V3n0m

The error you ran into isn't related to the add-on. In your case, the add-on is trying to connect to the LDAP server, and the server resets the connection. Verify that SSL is enabled on the LDAP server:

1. Go to the LDAP server.
2. Write LDP in the run window.
3. Go to the Connection tab.
4. Add server name and port.
5. Check the SSL box.
6. Click OK.

Let me know if you still run into an error after ensuring that SSL is enabled on the LDAP server.

Nicolen splunk, Splunker
February 19, 2019

Hi @V3n0m,
I've reached out to the Splunk Add-on for Microsoft Active Directory to get some information that'll help you out. I'll get back to you when I hear from them. Thanks for reaching out!

Nicolen splunk, Splunker
February 15, 2019

Thanks this guide was helpful.
But i Have faced a problem when i configure it on SSL 636 port this error from the logs :
Level=ERROR, Pid=12843, File=search_command.py, Line=373, Abnormal exit: # host: 10.********: Could not access the directory service at ldaps://10.********:636: socket ssl wrapping error: [Errno 104] Connection reset by peer

Please Advice me so i can configure it right. And just for the records it worked well on 389 port

V3n0m
February 12, 2019

This part is ambiguous:

Search Heads Yes No Install this add-on to one or more search heads that are also domain controllers and where Active Directory knowledge management is required.
Indexers Yes No Install this add-on to indexers only if they are also domain controllers and Active Directory knowledge is required.

whereas http://docs.splunk.com/Documentation/DCADAddon/1.0.0/DCADAddon/Configuretheadd-ons

states the following:

Additionally, to get the search time extractions that the add-on provides, install both this add-on and the Splunk Add-on for Windows DNS into the indexers that receive the Active Directory and DNS data, and any search heads that connect to and search those indexers.

From what I can see in the props.conf config the app is required on indexers and search heads as it contains lookups, field extractions and SHOULD_LINEMERGE rules.

The same comment applies to the DNS add-on.

Mikaelbje
November 11, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters