The following are the spec and example files for admon.conf.
# Version 5.0.3 # # This file contains attribute/value pairs to use when configuring Windows # Active Directory monitoring. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles # GLOBAL SETTINGS # Use the [default] stanza to define any global settings. # * You can also define global settings outside of any stanza, at the top of the file. # * Each conf file should have at most one default stanza. If there are multiple default # stanzas, attributes are combined. In the case of multiple definitions of the same # attribute, the last definition in the file wins. # * If an attribute is defined at both the global level and in a specific stanza, the # value in the specific stanza takes precedence. [<stanza name>] * A unique name that represents a configuration or set of configurations for a specific domain controller (DC). * Multiple configurations are possible for any given DC. targetDc = <string> * Specifies a fully qualified domain name of a valid, network-accessible DC. * If not specified, Splunk will obtain the local computer's DC by default, and bind to its root Distinguished Name (DN). startingNode = <string> * Tells Splunk where in the Active Directory directory tree to start monitoring. * If not specified, Splunk will attempt to start at the root of the directory tree, by default. * Where Splunk starts monitoring is determined by the user Splunk is configured to run as on the computer running Active Directory monitor. monitorSubtree = [0|1] * Tells Splunk whether or not to monitor the subtree(s) of a given directory tree path. * Defaults to 1 (monitor subtrees of a given directory tree path). disabled = [0|1] * Tells Splunk whether or not the stanza is enabled. * Defaults to 0 (enabled.) index = <string> * Tells Splunk which index to store incoming data into for this stanza. * This field is optional. * Defaults to the default index.
# Version 5.0.3 # # This file contains an example configuration for monitoring changes # to the Splunk Active Directory monitor for Windows. Refer to # admon.conf.spec for details. # # To use one or more of these configurations, copy the configuration block into # admon.conf in $SPLUNK_HOME/etc/apps/windows/local/. You must restart Splunk to # enable configurations. # # To learn more about configuration files (including precedence) please see # the documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles [default] monitorSubtree = 1 disabled = 0 # Monitor the default domain controller for the domain that the computer # running Splunk belongs to. Start monitoring at the root node of Active # Directory. [NearestDC] targetDc = startingNode = # Monitor a specific DC, with a specific starting node. Store the events in # the "admon" Splunk index. [DefaultTargetDC] targetDc = pri01.eng.ad.splunk.com startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com index = admon # Monitor two different DCs with different starting nodes. [DefaultTargetDC] targetDc = pri01.eng.ad.splunk.com startingNode = OU=Computers,DC=eng,DC=ad,DC=splunk,DC=com [SecondTargetDC] targetDc = pri02.eng.ad.splunk.com startingNode = OU=Computers,DC=hr,DC=ad,DC=splunk,DC=com
Use the CLI to administer a remote Splunk Enterprise instance
This documentation applies to the following versions of Splunk® Enterprise: 5.0.3