Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Windows Active Directory

You can collect any kind of Active Directory change data with Splunk.

Do you want or need to know who's been changing passwords, adding user or machine accounts, or delegating authority to Group Policy objects? All of that information is at your fingertips with Splunk's Active Directory monitor. What's more, you can choose which part of the AD you want to scan for changes - from one node to the entire AD forest.

Note: In order to monitor any part of Active Directory, at a minimum you'll need to run Splunk as a user with read permissions to the Active Directory schema.

To get Active Directory data, introduce Splunk to your Active Directory:

1. From the Home page in Splunk Web, click Add data.

2. Under the Choose how you want Splunk to consume your data banner, click Monitor an Active Directory schema.

3. In the AD monitor name field, enter a unique name that you'll remember.

4. In the Target Domain Controller field, enter the host name of a domain controller on your network. Or, leave this field blank, and Splunk will look for the nearest available domain controller, and bind to it.

5. Optionally, in the Starting Node field, type in the Active Directory node that Splunk should begin monitoring from. Or, leave this field blank, and Splunk will begin monitoring from the highest part of the Active Directory tree that it has access to.

6. Check the Monitor subtree box to have Splunk monitor all child nodes under the node you specified in Step 5 (or, the top of the AD tree if no starting node was specified). Leave the box unchecked if you only wish to monitor the specified starting node.

7. Optionally, you can specify the destination index for this source.

8. Finally, click Save.

9. From the Success page, click Search to start searching. You can enter any term that’s in your data, or you can click on a source, source type or host to see data from the Active Directory events as they come into Splunk.

For more information on getting data from files and directories, see "Monitor Windows event log data" in this manual.

PREVIOUS
Windows performance - many remote
  NEXT
Unix logs - local

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters