Windows Active Directory
You can collect any kind of Active Directory change data with Splunk.
Do you want or need to know who's been changing passwords, adding user or machine accounts, or delegating authority to Group Policy objects? All of that information is at your fingertips with Splunk's Active Directory monitor. What's more, you can choose which part of the AD you want to scan for changes - from one node to the entire AD forest.
Note: In order to monitor any part of Active Directory, at a minimum you'll need to run Splunk as a user with read permissions to the Active Directory schema.
To get Active Directory data, introduce Splunk to your Active Directory:
1. From the Home page in Splunk Web, click Add data.
2. Under the Choose how you want Splunk to consume your data banner, click Monitor an Active Directory schema.
3. In the AD monitor name field, enter a unique name that you'll remember.
4. In the Target Domain Controller field, enter the host name of a domain controller on your network. Or, leave this field blank, and Splunk will look for the nearest available domain controller, and bind to it.
5. Optionally, in the Starting Node field, type in the Active Directory node that Splunk should begin monitoring from. Or, leave this field blank, and Splunk will begin monitoring from the highest part of the Active Directory tree that it has access to.
6. Check the Monitor subtree box to have Splunk monitor all child nodes under the node you specified in Step 5 (or, the top of the AD tree if no starting node was specified). Leave the box unchecked if you only wish to monitor the specified starting node.
7. Optionally, you can specify the destination index for this source.
8. Finally, click Save.
9. From the Success page, click Search to start searching. You can enter any term that’s in your data, or you can click on a source, source type or host to see data from the Active Directory events as they come into Splunk.
For more information on getting data from files and directories, see "Monitor Windows event log data" in this manual.
Windows performance - many remote
Unix logs - local
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14