Splunk® Add-on for Microsoft Active Directory

Install and use the Splunk Add-on for Microsoft Active Directory

Download manual as PDF

Download topic as PDF

Install the Splunk Add-on for Microsoft Active Directory

  1. Get the Splunk Add-on for Microsoft Active Directory by downloading it from https://splunkbase.splunk.com/app/3207 or browsing to it using the app browser within Splunk Web.
  2. Determine where and how to install this add-on in your deployment, using the tables on this page.
  3. Perform any prerequisite steps before installing, if required and specified in the tables below.
  4. Complete your installation.

These add-ons have been specifically created for use with the Splunk Apps for Microsoft Exchange and Windows Infrastructure. There are specific installation instructions for these add-ons for use with those apps:

Splunk App for Microsoft Exchange

Splunk App for Windows Infrastructure

You can also use the add-on to collect Active Directory data outside of these apps. For best results, however, you must configure your Windows Active Directory and DNS environments for increased logging.

Distributed deployments

Use the tables below to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you use forwarders to get your data in. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.

Where to install this add-on

Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.

These tables provides a reference for installing this specific add-on to a distributed deployment of Splunk Enterprise.

Splunk Add-on for Microsoft Active Directory

Splunk platform instance type Supported Required Actions required / Comments
Search Heads Yes Yes Install this add-on to one or more search heads that are also domain controllers and where Active Directory knowledge management is required.
Indexers Yes No Install this add-on to indexers only if they are also domain controllers and Active Directory knowledge is required. If you use a universal or light forwarder for data collection, install the add-on to your indexers.
Heavy Forwarders Yes See comments All forwarder types are supported. The forwarder needs to be installed directly on the domain controller for Active Directory monitoring.
Universal Forwarders Yes
Light Forwarders Yes

Distributed deployment feature compatibility

This table provides a quick reference for the compatibility of this add-on with Splunk distributed deployment features.

Distributed deployment feature Supported Comments
Search Head Clusters Yes You can install this add-on on a search head cluster for all search-time functionality, but configure inputs on forwarders to avoid duplicate data collection.

Before you install this add-on to a cluster, remove the eventgen.conf file and all files in the samples folder.

Indexer Clusters Yes Before you install this add-on to a cluster, remove the eventgen.conf file and all files in the samples folder.
Deployment Server Yes Supported for deploying the configured add-on to multiple nodes. This is a Splunk best practice and the Splunk Apps for Microsoft Exchange and Windows Infrastructure use a deployment server to facilitate easier installation.

Installation walkthroughs

The Splunk Add-Ons manual includes an Installing add-ons guide that helps you successfully install any Splunk-supported add-on to your Splunk platform.

For a walkthrough of the installation procedure, follow the link that matches your deployment scenario:

PREVIOUS
Hardware and software requirements for the Splunk Add-on for Microsoft Active Directory
  NEXT
Configure the Splunk Add-on for Microsoft Active Directory

This documentation applies to the following versions of Splunk® Add-on for Microsoft Active Directory: 1.0.0


Comments

This part is ambiguous:

Search Heads Yes No Install this add-on to one or more search heads that are also domain controllers and where Active Directory knowledge management is required.
Indexers Yes No Install this add-on to indexers only if they are also domain controllers and Active Directory knowledge is required.

whereas http://docs.splunk.com/Documentation/DCADAddon/1.0.0/DCADAddon/Configuretheadd-ons

states the following:

Additionally, to get the search time extractions that the add-on provides, install both this add-on and the Splunk Add-on for Windows DNS into the indexers that receive the Active Directory and DNS data, and any search heads that connect to and search those indexers.

From what I can see in the props.conf config the app is required on indexers and search heads as it contains lookups, field extractions and SHOULD_LINEMERGE rules.

The same comment applies to the DNS add-on.

Mikaelbje
November 11, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters