Splunk® App for Windows Infrastructure (Legacy)

Deploy and Use the Splunk App for Windows Infrastructure

Acrobat logo Download manual as PDF

On October 20, 2021, the Splunk App for Windows Infrastructure will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Windows Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for Windows Infrastructure (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Deploy the Splunk Add-on for Microsoft Active Directory

The deployment server (the Splunk Enterprise instance that manages and updates configurations and apps for universal forwarders in a Splunk Enterprise deployment) must be made aware of the Splunk Add-on for Microsoft Active Directory before you can deploy it to deployment clients.

This means that, during this part of the setup, you will define new deployment classes at the deployment server to account for these differences.

Best practice: Only deploy the Splunk Add-on for Microsoft Active Directory to a select group of domain controllers

Consider the number of domain controllers that you deploy the Active Directory add-ons. Best practice recommends that only one domain controller in an Active Directory domain or forest receives the add-on, with one or two others receiving it as a backup.

Place the Splunk Add-on for Microsoft Active Directory in the deployment apps directory on the deployment server.

  1. Open a command prompt on the deployment server/indexer.
  2. Copy the add-on folder from their current location to the deployment apps directory:
    > Copy-Item -Path C:\Downloads\Splunk_TA_microsoft_ad -Destination "C:\Program Files\Splunk\etc\deployment-apps -Recurse -Force
  3. Reload the deployment server configuration.
    > cd \Program Files\Splunk\bin
    > .\splunk reload deploy-server
  4. From a web browser, log into Splunk Enterprise on the deployment server.
  5. In the system bar, select Settings > Forwarder Management.
  6. Click the Apps tab. The Splunk_TA_microsoft_ad* add-ons should appear in the list of apps.

Define a new server class for domain controllers

In this procedure, you will define a new server class for Windows Server 2008 domain controllers. In this server class, you will deploy the Splunk_TA_microsoft_ad add-on. Later, you will assign this server class to a universal forwarder that runs atop a host that runs Windows Server 2008.

  1. In the "Splunk_TA_microsoft_ad" add-on entry in the list, click Edit. Splunk Enterprise loads the "Edit App: Splunk_TA_microsoft_ad" page.
  2. Under "Server Classes", click +.
  3. In the pop-up that appears, click New Server Class.
  4. In the "New Server Class" dialog box that pops up, enter "Domain Controllers".

    Note: You can enter a unique name for the server class that describes the hosts that belong in the class, and that you will remember.
  5. Click Save. Splunk Enterprise saves the class and loads the information page for the server class you just created.

    Note: The page indicates that you have not added any apps or clients yet. This is okay, as you have just created the class.
  6. Click Add apps. Splunk Enterprise loads the Edit Apps page.
  7. Locate and click the "Splunk_TA_microsoft_ad" add-on in the Unselected Apps pane on the left. The app moves to the "Selected Apps" pane on the right.
  8. Click Save. Splunk Enterprise saves the configuration and returns you to the server class information page.

Add domain controller clients to the server class

If you have not installed a universal forwarder on a Windows domain controller, do so now. See "Install a universal forwarder on each Windows host".

  1. In the server class information page, click Add clients. Splunk Enterprise loads the "Edit clients" page.
  2. In the "Include (whitelist)" field, enter the host name of the domain controller.
  3. Click Preview. Splunk Enterprise updates the host list at the bottom and places check marks on the hosts that match what you entered in the "Include (whitelist)" field.
  4. Click Save. Splunk Enterprise adds the host to the server class and deploys the add-on to the deployment client on the Active Directory host.

Add domain controller clients to the "universal forwarder" server class

In the same way that you added the domain controller deployment client to the "domain controllers" server class to deploy the Active Directory add-on, add the client to the "universal forwarder" server class. This does two things:

  • Deploys the Splunk Add-on for Windows to the domain controller, which lets the client collect Windows data from the domain controller.
  • Deploys the "send to indexer" app to the domain controller, which lets the client forward Windows and Active Directory data to the Splunk App for Windows Infrastructure indexer.

To add the domain controller to the "universal forwarders" server class, see "Add the universal forwarder to the server class."

Next steps

You have now deployed the Active Directory add-on onto your domain controller deployment client. In the future, you can use this procedure to deploy the add-on(s) to additional client(s).

Next, you will confirm that Active Directory data arrives at the indexer.

Last modified on 17 April, 2020
Download and configure the Splunk Add-on for Microsoft Active Directory
Confirm and troubleshoot AD data collection

This documentation applies to the following versions of Splunk® App for Windows Infrastructure (Legacy): 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters