Splunk® App for Windows Infrastructure

Deploy and Use the Splunk App for Windows Infrastructure

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of MSApp. Click here for the latest version.
Acrobat logo Download topic as PDF

Deploy the Splunk Add-ons for Active Directory

This topic discusses how to deploy the Splunk Add-ons for Active Directory into deployment clients that you install onto your Active Directory domain controllers.

Which Active Directory add-ons go where?

The deployment server must be made aware of the new add-ons before you can deploy them to deployment clients. You do this by placing the add-ons in the deployment apps directory.

In this case, since not every Windows host in the Exchange deployment is an Active Directory domain controller, not every host should receive the Splunk Add-ons for Active Directory. Also, since there are different Active Directory add-ons for different versions of Windows Server, only the add-on that has been designed for a specific version of Windows Server should be deployed to that host.

This means that, during this part of the setup, you will define new deployment classes at the deployment server to account for these differences.

As a reminder, here is the list of available add-ons for Active Directory, and what versions of Windows Server they should be installed on:

Add-on Description
TA-DomainController-NT5 For Active Directory domain controllers running Windows Server 2003/2003 R2 and earlier
TA-DomainController-NT6 For Active Directory domain controllers running Windows Server 2008/2008 R2 and later
TA-DomainController-2012r2 For Active Directory domain controllers running Windows Server 2012 R2 and later. Requires the Splunk Add-on for PowerShell.

This is the same table shown in "More information about the Active Directory add-ons."

Best practice: Only deploy the Active Directory add-ons to a select group of domain controllers

Consider how many domain controllers in the deployment should receive the enabled add-ons. Best practice recommends that only one domain controller receives the add-ons, with one or two others receiving the deployment as a backup.

Place the add-ons in the deployment apps directory on the deployment server

First, make the deployment server aware of the new add-ons:

1. Open a command prompt on the deployment server/indexer.

2. Copy the add-on folders from their current location to the deployment apps directory:

> Copy-Item -Path C:\Downloads\splunk_app_windows_infrastructure\appserver\addons\TA-DomainController* -Destination "C:\Program Files\Splunk\etc\deployment-apps -Recurse -Force

3. Tell the deployment server to reload its deployment configuration.

> cd \Program Files\Splunk\bin
> .\splunk reload deploy-server

4. From a web browser, log into Splunk Enterprise on the deployment server.

5. In the system bar, select Settings > Forwarder Management.

6. Click the Apps tab. You should see the TA_DomainController* add-ons in the list of apps.

Exch 31 DeployApps TA DCs.png

Define a new server class for domain controllers

In this procedure, you will define a new server class for Windows Server 2008 domain controllers. In this server class, you will deploy the TA_DomainController_NT6 add-on. Later, you will assign this server class to a deployment client that runs Windows Server 2008.

1. In the "TA_DomainController_NT6" add-on entry in the list, click Edit. Splunk Enterprise loads the "Edit App: TA-DomainController_NT6" page.

2. Click the gray "+" sign under "Server Classes".

3. In the pop-up that appears, click New Server Class.

4. In the "New Server Class" dialog box that pops up, enter "Domain Controllers - Server 2008".

Note: When setting up server classes later on in the setup process, you can enter a unique name for the server class that describes the hosts that belong in the class, and that you will remember.

5. Click Save. Splunk Enterprise saves the class and loads the information page for the server class you just created.

Note that it says you have not added any apps or clients yet. This is okay, as you have just created the class.

6. Click Add apps. Splunk Enterprise loads the "Edit Apps" page.

7. Locate and click the "TA_DomainController_NT6" add-on in the "Unselected Apps" pane on the left. The app moves to the "Selected Apps" pane on the right.

8. Click Save. Splunk Enterprise saves the configuration and returns you to the server class information page.

Add domain controller clients to the server class

Note: If you have not installed a universal forwarder on a Windows host that runs Windows Server 2008, do so now, using the instructions in "Install a universal forwarder on each Windows host". Then continue with the following steps.

To assign the domain controller deployment client to the "Domain Controllers" server class:

1. In the server class information page, click Add clients. Splunk Enterprise loads the "Edit clients" page.

2. In the "Include (whitelist)" field, enter the name of the domain controller.

3. Click Preview. Splunk Enterprise updates the host list at the bottom and places check marks on the hosts that match what you entered in the "Include (whitelist)" field.

4. Click Save. Splunk Enterprise adds the host to the server class and deploys the add-on to the deployment client on the Active Directory host.

Add domain controller clients to the "universal forwarder" server class

In the same way that you added the domain controller deployment client to the "domain controllers" server class to deploy the Active Directory add-on, you should also add the client to the "universal forwarder" server class. This does two things:

  • Deploys the Splunk Add-on for Windows to the domain controller, which enables the client to collect Windows data from the controller.
  • Deploys the "send to indexer" app to the domain controller client, which enables the client to forward Windows and Active Directory to the indexer.

To add the domain controller to the "universal forwarders" server class, follow the instructions at "Add the universal forwarder to the server class."

What's next?

You have now deployed the Active Directory add-on onto your domain controller deployment client. In the future, you can use this procedure to deploy the add-on(s) to additional client(s).

Next, you will confirm that Active Directory data is coming into the indexer from the deployment client.

Last modified on 16 May, 2016
Download and configure the Splunk Add-ons for Active Directory
Confirm and troubleshoot AD data collection

This documentation applies to the following versions of Splunk® App for Windows Infrastructure: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters