Preparation Task Steps: Download required Splunk Packages Preparation Task Steps: Prepare Splunk® Core Components Preparation Task Steps: Prepare the Splunk Deployment Server component Preparation Task Steps: Prepare the Splunk Heavy Forwarder component Preparation Task Steps: Prepare the TA Examples for Deploying to your Splunk Universal Forwarders Upgrade Task Steps: Adjust or verify required Splunk Knowledge Objects Upgrade Task Steps: Compare Currently Deployed Inputs with Example Pre-Defined TAs. Upgrade Task Steps: Review Changes, configuration notes and more with the latest MS Windows AD Objects version.

Splunk® Enterprise Software
Download the Splunk Enterprise software that will be used to install the Splunk Deployment Server, that will aslo be your Splunk Heavy Forwarder.
Download the Splunk Enterprise software that will be used to install the Splunk Heavy Forwarder Server.
Download the Splunk Enterprise software that will be used to install the Splunk Deployment Server.
Download the Splunk Enterprise software that will be used to install the Splunk Deployment Server and Splunk Heavy Forwarder.
Splunk Universal Forwarder Software
Download the Splunk Universal Forwarder software that will be used for installing the forwarder on each of your target Windows systems.
MS AD Windows Objects TA Examples
These pre-defined inputs and TA's are configured to help get you started with optimal, recommended, input settings to getting Windows Data into your Splunk Environment.
Splunk Add-On for Microsoft Windows Splunk_TA_windows
Download the Splunk Add-On for Microsoft Windows application.
Splunk Cloud™ Universal Forwarder Credentials Application
  1. Click Splunk Home Page
  2. Click on the Universal Forwarder link to open the application where you can download the Splunk Cloud Credentials application.
  3. Then click Download Universal Forwarder Credentials :
Installing the Splunk Windows TA on the single Splunk Core Instance

We will now cover the steps to install and verify that the Splunk Add-on for Microsoft Windows is installed on your Splunk® Enterprise Core system.

  • You can skip the below steps if you already have the Splunk Add-on for Microsoft Windows installed on your Splunk® Enterprise Core system.
  1. Click Open Manage Applications to open the Application Management view in a separate tab.
  2. Click Install From File.
  3. Navigate to where you downloaded the Splunk Add-on for Microsoft Windows application.
  4. Click the Upload button to install the Splunk Add-on for Microsoft Windows application on this instance.
  5. Follow the prompts to complete the installation.
  6. Click Restart Later Don't Restart the Splunk Instance until after you have completed all of the remaining Preparation Tasks listed in the left panel.
Installing the Splunk Windows TA on the Distributed Splunk Core Instances

We will now cover the steps to install and verify that the Splunk Add-on for Microsoft Windows is installed on your Splunk® Enterprise Core Search Head(s) and Indexer(s).

  • You can skip the below steps if you already have the Splunk Add-on for Microsoft Windows installed on your Splunk Search Head(s) and Indexer(s).
  1. Current instance: Click Open Manage Applications to open the Application Management view in a separate tab.
    • Splunk Indexer(s): For performing these steps on the Splunk Indexer(s), Login to their UI and navigate to Apps menu dropdown > Manage Applications
  2. Click Install From File.
  3. Navigate to where you downloaded the Splunk Add-on for Microsoft Windows application.
  4. Click the Upload button to install the Splunk Add-on for Microsoft Windows application on this instance.
  5. Follow the prompts to complete the installation.
  6. Click Restart Later Don't Restart the Splunk Instance until after you have completed all of the remaining Preparation Tasks listed in the left panel.
  7. Repeat the above steps for the Indexer(s) that will be receiving Windows Data and all Search Head(s).
Installing the Splunk Windows TA in the Splunk Cloud™ environment

We will now cover the steps to install and verify that the Splunk Add-on for Microsoft Windows is installed in your Splunk Cloud™ environment.

  • You can skip the below steps if you already have the Splunk Add-on for Microsoft Windows installed in your Splunk Cloud™ environment.
  1. Click Splunk Home Page to open the Splunk Web Home page.
  2. From the Splunk Web home page, click the Apps gear icon .
  3. Click Browse more apps.
  4. In the filter box, type in Windows Add-On.
  5. Select the Install button for the Splunk Add-on for Microsoft Windows application to install the Splunk_TA_windows application.
    • If the Splunk Add-on for Microsoft Windows app is not listed, or if the app indicates self-service installation is not supported, contact Splunk Support
    .
  6. Follow the prompts to complete the installation.
  7. After completing this step, proceed to the next Preparation Task section.
Enable Receiving Port on the Splunk Core System

We will now cover the steps to enable and configure the Receiving Port on your Splunk Core System using the Splunk Web console.

  • You can skip the below steps if you already have the Receiving Port Port enabled on your Splunk Core System.
  1. Click Open Receiving Port Setting
    • If the above button does not work for your, navigate in the Splunk UI to Settings > Forwarding and receiving > Configure receiving.
  2. If there is an existing receiver port open enabled, then you can either use this one or click the New Receiving Port button to create a new one.
    • You cannot create a duplicate receiver port.
    • The conventional receiver port on indexers is port 9997.
  3. Add a port number (default is 9997)
  4. Click the Save button and proceed to the next Preparation Task section.
Enable Receiving Port on the Splunk Indexer(s)

We will now cover the steps to enable and configure the Receiving Port on your Splunk Indexer(s) using the Splunk Web console.

  • You can skip the below steps if you already have the Receiving Port Port enabled on your Splunk Indexer(s).
  1. In a separate browser tab, login to your Splunk Indexer(s) with an user that has the admin role.
  2. In the Splunk Web UI, navigate to Settings > Forwarder and Receiving > Receiving.
  3. If there is an existing receiver port open enabled, then you can either use this one or click the New Receiving Port button to create a new one.
    • You cannot create a duplicate receiver port.
    • The conventional receiver port on indexers is port 9997.
  4. Add a port number (default is 9997)
  5. Click the Save button and proceed to next Preparation Task section.
Create and configure the indexes on your Splunk Core system
Create and configure the indexes on your Splunk Indexer(s)

We will now cover the steps to create the indexes that will store the Windows data sent from your Windows machines.

  • Important Note: If your Windows data is going to different indexes then what is listed below, then make sure to follow the steps on adjusting the macros in the next Preparation step (Adjust or verify Splunk Knowledge Objects).
  • In this step, you create the following indexes, if not already created:
    • Multiple indexes defined are comma separated. Don't copy the comma, but just the individual name.
    • It's a best practice to create separate indexes for different types of data.
    • This can be useful if you want different storage settings for different types of data. For example, you may need to store wineventlogs for a specified time period for compliance purposes.
  1. Click Open Index Manager to open the indexes management view.
    • If the above button does not work for you then open a separate browser tab, connect to your Splunk Instance and Navigate to Settings > Indexes.
  2. In a separate browser tab Login to your Splunk Indexer's Web UI with a user that is part of the admin role.
  3. Navigate to Settings > Indexes
  4. Click New
  5. For the index name, enter one of the Indexes: from the above list.
  6. For index data type, select Events
  7. Click below to review the details on Customizing the settings:
    • For other below settings you can use the defaults or if you want to customize then Click Configure index storage to review more detailed information on these index settings.
      • The path locations for index data storage:
        • Home path. Leave blank for default $SPLUNK_DB/<index_name>/db
        • Cold path. Leave blank for default $SPLUNK_DB/<index_name>/colddb
        • Thawed path. Leave blank for default $SPLUNK_DB/<index_name>/thaweddb
      • Enable/disable data integrity check.
      • The maximum size of the entire index. Defaults to 500000MB.
      • The maximum size of each index bucket. When setting the maximum size, use auto_high_volume for high volume indexes (such as the main index); otherwise, use auto.
      • The frozen archive path. Set this field if you want to archive frozen buckets. For information on bucket archiving, see Archive indexed data.
      • The app in which the index resides.
      • The tsidx retention policy. See Reduce tsidx usage.
  8. Click Save
  9. Repeat these steps for all of the following indexes: If there multiple indexes defined, it will be comma separated.:
  10. Repeat the all of the above steps on each of the indexers that will receive windows data.
  11. After completing this step, proceed to the next Preparation section Adjust or verify Splunk Knowledge Objects.
Create and configure the indexes in your Splunk Cloud™ environment

We will now cover the steps to create the indexes that will store the Windows data sent from your Windows machines.

  • Important Note: If your Windows data is going to different indexes then what is listed below, then make sure to follow the steps on adjusting the macros in the next Preparation step (Adjust or verify Splunk Knowledge Objects).
  • In this step, you create the following indexes, if not already created:
    • Multiple indexes defined are comma separated. Don't copy the comma, but just individual name.
    • It's a best practice to create separate indexes for different types of data.
    • This can be useful if you want different storage settings for different types of data. For example, you may need to store wineventlogs for a specified time period for compliance purposes.
  1. Click Open Index Manager to open the indexes management view.
    • If the above button does not work for you then open a separate browser tab, connect to your Splunk Instance and Navigate to Settings > Indexes.
  2. Click New Index.
  3. For the index name, enter one of the Indexes: from the above list.
  4. For index data type, select Events.
  5. For searchable time (days), enter 90.
    • Optionally, you can extend your storage for longer if you have different requirements. By default Splunk Cloud provides 90 days of searchable storage.
  6. Click No Additional Storage, and click Save
    • You can also set up different types of storage for expired Splunk Cloud data (such as self-storage or archiving).
  7. Repeat these steps for any of the following indexes that have not already been created. Multiple indexes defined are comma separated.:
  8. After completing this step, proceed to the next Preparation section Adjust or verify Splunk Knowledge Objects.
Adjust or verify Splunk Knowledge Objects

We will now cover the steps for adjusting the Splunk Knowledge Objects(Macro's) used by the MS Windows AD Object application for pointing to the indexes where the Windows data is stored.

Auto Check Information:
  • An autocheck search was executed to check if the defined indexes in the required macros are available (created).
  • All of the indexes that are defined in the below macro's have been found. Although, it is still recommended to review the table below to make sure the created indexes align with the correct Data Type for each macro.
  • Review the below Troubleshooting Steps:
    • If created different index names for your Windows/Active Directory data, then follow the Adjusting the Macros used by the MS AD Windows Objects steps below.
    • Troubleshooting Steps if you created the recommended indexes (wineventlog,perfmon,msad,windows)

      Verify Role Index Permissions:

      1. Click Review Roles to open the Roles page
      2. Click on the Role(s) that is associated with your account
      3. Click on the 3. Indexes Link
      4. Verify that the Default box is selected for each of the created indexes (wineventlog,perfmon,msad,windows)
      5. Click Save and Click the Rerun Autocheck button below to rerun the autocheck and update the results
        • If it is still showing errors after running the above, and you are sure you created the default indexes, then you can proceed to the next Preparation item
    • Click Rerun Autocheck to rerun the autocheck if you completed the above troubleshooting, or the below preparation steps below.
Current Index Macro Definitions:

Adjusting the Macros used by the MS AD Windows Objects

  1. Click Macro Settings to open the settings page for the macros or click on the individual macro names below, to adjust the macro definition.
  2. Use the below list to match up the custom indexes you created for your windows data with the appropriate macro:
  3. Click on the individual macro links to update the definition with your aligned custom indexes (Using OR for mulitple indexes. Ex. index=winosevt OR index=winossecurityevt).
  4. Click Save after adjusting each of the above macros.
  5. Click Rerun Autocheck to rerun the autocheck search to validate your changes.
  6. After adjusting the macros and verifying the changes, proceed to the next Preparation item.
Install the Splunk Deployment Server

The Deployment Server (DS) is an instance of Splunk Enterprise that you install on a Windows or Linux machine and configure pushes Splunk apps to the Splunk Universal Forwarders on your target Windows Systems.

  • You can skip the below steps if you already have the Splunk Deployment Server installed in your Splunk environment.
  • Follow the below Steps for for the OS Type you will be installing the Deployment Server on.
  • If you didn't download the Splunk Enterprise software in the previous preparation steps, then Click Download to download the Splunk Enterprise software that will be used to install the Splunk Deployment Server.
  • Do not install on the same machine as a Splunk Universal Forwarder.
Install Splunk Deployment Server on Windows

You can install Splunk Enterprise on Windows with the Graphical User Interface (GUI)-based installer or from the command line. More options, such as silent installation, are available if you install from the command line. See Install on Windows from the command line for the command line installation procedure.

  • You cannot install or run the 32-bit version of Splunk Enterprise for Windows on a 64-bit Windows machine. You also cannot install Splunk Enterprise on a machine that runs an unsupported OS. For example, you cannot install Splunk Enterprise on a machine that runs Windows Server 2003. See System requirements. If you attempt to run the installer in such a way, it warns you and prevents the installation.
  • Before you install
    • Choose the Windows user Splunk should run as
      • Before installing, see Info to determine which user account Splunk should run as to address your specific needs. The user you choose has ramifications on what you must do prior to installing the software, and more details can be found there.
    • Disable or limit antivirus software if able
      • The Splunk Enterprise indexing subsystem requires high disk throughput. Any software with a device driver that intermediates between Splunk Enterprise and the operating system can restrict processing power available to Splunk Enterprise, causing slowness and even an unresponsive system. This includes anti-virus software.
      • You must configure such software to avoid on-access scanning of Splunk Enterprise installation directories and processes before you start a Splunk installation.
    • Consider installing Splunk software into a directory with a short path name
      • By default, the Splunk MSI file installs the software to \Program Files\Splunk on the system drive (the drive that booted your Windows machine.) While this directory is fine for many Splunk software installations, it might be problematic for installations that run in distributed deployments or that employ advanced Splunk features such as search-head or indexer clustering.
      • The Windows API has a path limitation of MAX_PATH which Microsoft defines as 260 characters including the drive letter, colon, backslash, 256-characters for the path, and a null terminating character. Windows cannot address a file path that is longer than this, and if Splunk software creates a file with a path length that is longer than MAX_PATH, it cannot retrieve the file later. There is no way to change this configuration.
      • To work around this problem, if you know that the instance will be a member of a search head or indexer cluster, consider installing the software into a directory with a short path length, for example C:\Splunk or D:\SPL.
  • Begin the installation
    1. Copy the previously downloaded Splunk Enterprise Software from the Network Share to the target Splunk Deployment Server system.
    2. To start the installer, double-click the splunk.msi file. The installer runs and displays the Splunk Enterprise Installer panel.
    3. To continue the installation, check the "Check this box to accept the License Agreement" checkbox. This activates the "Customize Installation" and "Next" buttons.
      • (Optional) If you want to view the license agreement, click View License Agreement.
      • Next Step - Installation Options

        The Windows installer gives you two choices: Install with the default installation settings, or configure all settings prior to installing. When you choose to install with the default settings, the installer does the following:

        `
        • Installs Splunk Enterprise in \Program Files\Splunk on the drive that booted your Windows machine.
        • Installs Splunk Enterprise with the default management and Web network ports.
        • Configures Splunk Enterprise to run as the Local System user.
        • Prompts you to create a Splunk administrator password. You must do this before installation can continue.
        • Creates a Start Menu shortcut for the software.
    • Continue with Customize Options
      1. Click Customize Options button.
      2. Click Change… to specify a different location to install Splunk Enterprise, or click Next to accept the default value.
      3. The installer displays the "Choose the user Splunk Enterprise should run as" panel. Select a user type and click Next.
        • If you selected the Local System user, proceed to Step 5. Otherwise, the installer displays the Logon Information: specify a username and password panel.
      4. Enter the Windows credentials that Splunk Enterprise uses to run on the machine and click Next.
        • These credentials are different from the Splunk administrator credentials that you create in the next step.
      5. Create credentials for the Splunk administrator user by entering a username and password that meets the minimum eligibility requirements as shown in the panel and click Next.
        • You must perform this action as the installation cannot proceed without your completing it. If you do not enter a username, the installer creates the admin user during the installation process.
      6. The installer displays the installation summary panel. Click Install to proceed with the installation.
      7. Click Finish. The installation completes, Splunk Enterprise starts and launches in a supported browser if you checked the appropriate box.
    • Or Continue With Default Options
      1. Click Next
      2. Enter the Windows credentials that Splunk Enterprise uses to run on the machine and click Next.
        • These credentials are different from the Splunk administrator credentials that you create in the next step.
      3. The installer displays the installation summary panel. Click Install to proceed with the installation.
      4. Click Finish. The installation completes, Splunk Enterprise starts and launches in a supported browser if you checked the appropriate box.
Install Splunk Deployment Server on linux

You can install Splunk Enterprise on Linux using RPM or DEB packages or a tar file, depending on the version of Linux your host runs.

  • Tar file installation
    • What to know before installing with a tar file:
      • >Knowing the following items helps ensure a successful installation with a tar file:
        • Some non-GNU versions of tar might not have the -C argument available. In this case, to install in /opt/splunk, either cd to /opt or place the tar file in /opt before you run the tar command. This method works for any accessible directory on your host file system.
        • Splunk Enterprise does not create the splunk user. If you want Splunk Enterprise to run as a specific user, you must create the user manually before you install.
        • Confirm that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.
    • Installation procedure:
      1. Expand the tar file into an appropriate directory using the tar command: 
        tar xvzf splunk_package_name.tgz

        The default installation directory is splunk in the current working directory. To install into /opt/splunk, use the following command:

        tar xvzf splunk_package_name.tgz -C /opt
  • RedHat RPM installation
    • RPM packages are available for Red Hat, CentOS, and similar versions of Linux.
    • The rpm package does not provide any safeguards when you use it to upgrade. While you can use the --prefix flag to install it into a different directory, upgrade problems can occur If the directory that you specified with the flag does not match the directory where you initially installed the software.
    • After installation, software package validation commands (such as rpm -Vp <rpm_file> might fail because of intermediate files that get deleted during the installation process. To verify your Splunk installation package, use the splunk validate files CLI command instead.
    1. Confirm that the RPM package you want is available locally on the target host.
    2. Verify that the Splunk Enterprise user account that will run the Splunk services can read and access the file.
    3. If needed, change permissions on the file. 
      chmod 644 splunk_package_name.rpm
    4. Invoke the following command to install the Splunk Enterprise RPM in the default directory /opt/splunk.
      rpm -i splunk_package_name.rpm
    5. (Optional) To install Splunk in a different directory, use the --prefix flag.
      rpm -i --prefix=/opt/new_directory splunk_package_name.rpm

    • Automate RPM installation with Red Hat Linux Kickstart

      • If you want to automate an RPM install with Kickstart, edit the kickstart file and add the following. 
        ./splunk start --accept-license
	./splunk enable boot-start

        Note: The enable boot-start line is optional.

    Debian .DEB installation
    • Prerequisites to installation
      • You can install the Splunk Enterprise Debian package only into the default location, /opt/splunk.
      • This location must be a regular directory, and cannot be a symbolic link.
      • You must have access to the root user or have sudo permissions to install the package.
      • The package does not create environment variables to access the Splunk Enterprise installation directory. You must set those variables on your own.

      Note: If you need to install Splunk Enterprise somewhere else, or if you use a symbolic link for /opt/splunk, then use a tar file to install the software.

    • Installation procedure
      • Run the dpkg installer with the Splunk Enterprise Debian package name as an argument.
        dpkg -i splunk_package_name.deb

      Debian commands for showing installation status

      • Splunk package status: 
        dpkg --status splunk
      • List all packages: 
        dpkg --list

      Information on expected default shell and caveats for Debian shells

      • Splunk Enterprise expects you to run commands from the bash shell. It expects bash to be available from /bin/sh.
      • On later versions of Debian Linux (for example, Debian Squeeze), the default shell is the dash shell.
      • Using the dash shell can result in zombie processes - processes that have completed execution, yet remain in the process table and cannot be killed or removed.
      • If you run Debian Linux, consider changing your default shell to be bash.
  • Now that you have installed the Splunk Deployment Server:
Configure HTTPS for Splunk Web.

We will now cover the steps to enable and configure the HTTPS on your Splunk Deployment Servers Web console.

  • This is a best practice for security. For additional security you can add your own certificate instead of using the default certificates.
  1. In a separate browser tab, login to your Splunk Indexer(s) with an user that has the admin role.
  2. In a separate browser tab, login to your Splunk Deployment Server instance with an user that has the admin role.
  3. Navigate to Settings > Server settings > General Settings
  4. In the field, Enable SSL (HTTPS) in Splunk Web, click Yes, and click Save:
Enable Receiver Port on Splunk Deployment Server

We will now cover the steps to enable and configure the Receiving Port on your Splunk Indexer(s) using the Splunk Web console.

  • You can skip the below steps if you already have the Receiving Port Port enabled on your Splunk Heavy or Gateway Forwarder System.
  • Configure a receiver using the command line:
    1. Open a shell prompt
    2. Change the path to $SPLUNK_HOME/bin
    3. Type:splunk enable listen <port> -auth <username>:<password>.
      • Replace <port> with the port you will specify for your Splunk Universal Forwarders (Default is 9997)
      • Replace <username> and <password> with the username and password you used when you installed Splunk on this instance.
      • Example: splunk enable listen 9997 -auth admin:mysecretpassword
    4. Do Not Restart until all the Steps listed in the left panel have been completed.
    5. Proceed to the next Preparation Item.
  • OR Configure a receiver port using the Splunk UI:
    1. Log into Splunk Web on your Splunk Heavy/Gateway Forwarder as a user with the admin role.
    2. In Splunk Web, go to Settings > Forwarding and receiving.
    3. Select "Configure receiving."
    4. Verify if there are existing receiver ports open. You cannot create a duplicate receiver port. The conventional receiver port on indexers is port 9997.
    5. Select "New Receiving Port."
    6. Add a port number (default is 9997)
    7. Click the Save button.
Install the Splunk Cloud Credentials App

We will now cover the steps to install the Splunk Cloud Credentials Application on the Splunk Deployment Server.

  • Click the cloud icon for a Diagram
  • If you didn't previously download the Splunk Cloud Credentials App Click for instructions.
  • If you already have the Splunk Cloud Credentials App installed on your Splunk Deployment Server, then skip to this step.
  1. In a separate browser tab, login to your Splunk Deployment Server instance with an user that has the admin role.
  2. Navigate to Apps menu dropdown > Manage Applications
  3. Click Install From File.
  4. In the pop directory window, go to the Network Share where you downloaded the Universal Forwarder Credentials application, and click on the splunkclouduf.spl file
  5. Click the Upload button to install the Splunk Cloud Credentials application on the Deployment Server Instance.
  6. Follow the prompts to complete the installation.
  7. Click Restart Later. Don't Restart the Splunk Instance until after you have completed all of the remaining Preparation Tasks listed in the left panel.
Install the Splunk Add-On for Microsoft Windows App

We will now cover the steps to install the Splunk Add-On for Microsoft Windows App Application on the Splunk Deployment Server.

  • If you already have the Splunk Add-Ons for Microsoft Windows installed on your Splunk Deployment Server, then skip to this step.
  1. In a separate browser tab, login to your Splunk Deployment Server instance with an user that has the admin role.
  2. Navigate to Apps menu dropdown > Manage Applications
  3. Click Install From File.
  4. In the pop directory window, go to the Network Share where you downloaded the Splunk_TA_windows application, and click on the Splunk_TA_windows.spl file
  5. Click the Upload button to install the Splunk Add-On for Microsoft Windows application on the Deployment Server Instance.
  6. Follow the prompts to complete the installation.
  7. Click Restart Later. Don't Restart the Splunk Instance until after you have completed all of the remaining Preparation Tasks listed in the left panel.
Configure the licensing for the deployment server
  1. In a separate browser tab, login to your Splunk Deployment Server instance with an user that has the admin role.
  2. From Settings > Licensing use the license to configure the Splunk instance as a deployment server.
    • If your a current customer then this is the license you requested from Splunk Support in your prerequisites.
    • If you doing a Proof of Concept then you can skip this step and use the temp license key
  3. Click Restart Later Don't Restart the Splunk Instance until after you have completed all of the remaining Preparation Tasks listed in the left panel.
  4. This completes this current Preparation section for the Splunk Deployment Server, proceed to the next Preparation section for this task.
Pre-Defined TA Configuration: Copy App(s) to the Splunk Deployment Server

Complete the below 3 steps, leveraging the table above the steps as a visual map for each step.

Downloaded TA Copy Location

Target Splunk Deployment Server Directory
  • \\Network_Share
    • ...\ms_ad_obj_ta_examples
      • ...\Splunk_TA_windows_dc\...
      • ...\Splunk_TA_windows_admon\...
  • ...\splunk
    • ...\etc
      • ...\deployment-apps
  1. Using a terminal/file explorer, navigate to the \\Network_Share\ms_ad_obj_ta_examples\ directory and copy the Splunk_TA_windows_dc, and Splunk_TA_windows_admon folders and paste them on the Splunk Deployment Server in the /splunk/etc/deployment-apps/ directory.
  2. (Optional) Customize the following pre-defined inputs.conf.
    • For example, if you created different indexes to store your Windows data than (wineventlog, perfmon, mead, windows), then you will need to update each inputs index = …. setting with your aligned indexes.

Source Splunk Deployment Server Directory

Target Splunk Deployment Server Directory
  • ...\splunk
    • ...\etc
      • ...\apps
        • ...\Splunk_TA_windows\...
  • ...\splunk
    • ...\etc
      • ...\deployment-apps
  1. Using a terminal/file explorer, navigate on the Splunk Deployment Server to ...\splunk\etc\apps\ directory.
  2. Copy the Splunk_TA_windows folder and paste it on the same system in the /splunk/etc/deployment-apps/ directory.
    • If you did not install the Splunk Add-On for Microsoft Windows application on your Splunk Deployment Server, then you can download it here, then extract it and place the Splunk_TA_windows folder into the /splunk/etc/deployment-apps/ on the Splunk Deployment Server.

Downloaded TA Copy Location

Target Splunk Deployment Server Directory
  • \\Network_Share
    • ...\ms_ad_obj_ta_examples
      • ...\Splunk_TA_windows_local_only
        • ...\local
          • ...\inputs.conf
  • ...\splunk
    • ...\etc
      • ...\deployment-apps
        • ...\Splunk_TA_windows
  1. Navigate to the \\Network_Share\ms_ad_obj_ta_examples\Splunk_TA_windows_local_only\ directory.
  2. Copy the complete local/ folder and paste it on the Splunk Deployment Server’s in the /splunk/etc/deployment-apps/Splunk_TA_windows/ directory.
  3. (Optional) Customize the following pre-defined inputs.conf.
    • For example, if you created different indexes to store your Windows data than (wineventlog, perfmon, mead, windows), then you will need to update each inputs index = …. setting in this inputs.conf with your aligned indexes.

Validate Configuration: Review the below table to verify the results from the above steps match the listed deployment-apps/ directory.

Target Splunk Deployment Server Results
  • ...\deployment-apps
    • ...\Splunk_TA_windows
      • ...\local
      • ...\appserver\...
      • ...\bin\...
      • ...\default\...
      • ...\metadata\...
      • ...\README\...
      • ...\static\...
  • ...\deployment-apps
    • ...\Splunk_TA_windows_dc
      • ...\bin\...
      • ...\default\...
      • ...\local
      • ...\README\...
      • ...\static\...
  • ...\deployment-apps
    • ...\Splunk_TA_windows_admon
      • ...\default\...
      • ...\local
      • ...\README\...
      • ...\static\...
Pre-Defined TA Configuration: Create and configure Splunk Deployment Server Classes

Complete the 3 configuration steps while leveraging the table above each step for guidance.

Create the Base Windows Deployment Server Class
  • Server Class Name: Base Windows
  • Application: Splunk_TA_windows
    • Restart Splunk enabled
  • Clients: * or comma separated list of all target windows system
  1. In a separate browser tab, Login to your Splunk Deployment Server Web UI
  2. Navigate to Settings > Forwarder Management
  3. Click on the Server Classes tab
  4. Click on the create one link, or the New Server Class button, to create and configure the Splunk Deployment Server Classes
  5. In the Name box, type Base Windows, or a different custom name for collection all base Windows OS data from all your target Windows Systems.
  6. Click Save
  7. Click the Add Apps button
  8. Click on the Splunk_TA_windows application to add it to the right Selected Apps panel.
  9. Click Save
  10. In the Apps table, click on the Edit dropdown in the Actions column for the Splunk_TA_windows application.
  11. In Edit view, click the option button Restart Splunkd to make sure it is checked.
  12. Click Save
  13. Click the Add Clients button
  14. In the Include (whitelist) box, type in a comma separated list of HostNames, Ip Address and/or wildcards for the targeted Windows Systems for the Server Class.
    • If this is the first time you are creating a Deployment Server Class, you can just put in a * in the Whitelist box for just the Base Windows Server Class.
    • After your target Windows systems start communicating with the Splunk Deployment Server, you should come back to the Base Windows Server Class and either enter in more specific Host Names, Ip Addresses, etc in the Whitelist, or keep the * and select one of the options from the Filter by Machine Type dropdown.
  15. Click Save

Create the Domain Controllers Deployment Server Class
  • Server Class Name: Domain Controllers
  • Application: Splunk_TA_windows_dc
    • Restart Splunk enabled
  • Clients: Comma separated list of all target AD Domain Controllers
  1. Navigate back to Forwarder Management
  2. Click on the Server Classes tab
  3. Click on the New Server Class button
  4. In the Name box, type Domain Controllers
  5. Click Save
  6. Click the Add Apps button
  7. Click on the Splunk_TA_windows_dc application to add it to the right Selected Apps panel.
  8. Click Save
  9. In the Apps table, click on the Edit dropdown in the Actions column for the Splunk_TA_windows_dc application.
  10. In Edit view, click the option button Restart Splunkd to make sure it is checked.
  11. Click Save
  12. Click the Add Clients button
  13. In the Include (whitelist) box, type in a comma separated list of your Domain Controller HostNames, Ip Address and/or wildcards.
  14. Click Save

Create the AD admon Monitoring Deployment Server Class
  • Server Class Name: AD admon Monitoring
  • Application: Splunk_TA_windows_admon
    • Restart Splunk enabled
  • Clients: Single host per AD Domain, or if multiple domains then Comma separated list of the host for each AD Domain.
  1. Navigate back to Forwarder Management
  2. Click on the Server Classes tab
  3. Click on the New Server Class button
  4. In the Name box, type AD admon Monitoring
  5. Click Save
  6. Click the Add Apps button
  7. Click on the Splunk_TA_windows_admon application to add it to the right Selected Apps panel.
  8. Click Save
  9. In the Apps table, click on the Edit dropdown in the Actions column for the Splunk_TA_windows_admon application.
  10. In Edit view, click the option button Restart Splunkd to make sure it is checked.
  11. Click Save
  12. Click the Add Clients button
  13. In the Include (whitelist) box, type in A single designated Domain Controller's or Domain Member Server's HostName, or Ip Address.
  14. Click Save

Validate Configuration: Review the below table to verify the results from the above steps match the below table.

Base Windows

Domain Controllers

AD admon Monitoring
  • Server Class Name: Base Windows
  • Application: Splunk_TA_windows
    • Restart Splunk enabled
  • Clients: * or comma separated list of all target windows system
  • Server Class Name: Domain Controllers
  • Application: Splunk_TA_windows_dc
    • Restart Splunk enabled
  • Clients: Comma separated list of all target AD Domain Controllers
  • Server Class Name: AD admon Monitoring
  • Application: Splunk_TA_windows_admon
    • Restart Splunk enabled
  • Clients: Single host per AD Domain, or if multiple domains then Comma separated list of the host for each AD Domain.
Install the Splunk Heavy Forwarder

The Splunk Heavy Forwarder is type of forwarder, which is a Splunk Enterprise instance that sends data to another Splunk Enterprise instance or Splunk Cloud environment.

  • You can skip the below steps if you already have the Heavy Forwarder installed in your Splunk environment.
  • Follow the below Steps for for the OS Type you will be installing the Heavy Forwarder on.
  • If you didn't download the Splunk Enterprise software in the previous preparation steps, then Click Download to download the Splunk Enterprise software that will be used to install the Splunk Heavy Forwarder.
  • Do not install on the same machine as a Splunk Universal Forwarder.
Install Splunk Heavy Forwarder on Windows

You can install Splunk Enterprise on Windows with the Graphical User Interface (GUI)-based installer or from the command line. More options, such as silent installation, are available if you install from the command line. See Install on Windows from the command line for the command line installation procedure.

  • You cannot install or run the 32-bit version of Splunk Enterprise for Windows on a 64-bit Windows machine. You also cannot install Splunk Enterprise on a machine that runs an unsupported OS. For example, you cannot install Splunk Enterprise on a machine that runs Windows Server 2003. See System requirements. If you attempt to run the installer in such a way, it warns you and prevents the installation.
  • Before you install
    • Choose the Windows user Splunk should run as
      • Before installing, see Info to determine which user account Splunk should run as to address your specific needs. The user you choose has ramifications on what you must do prior to installing the software, and more details can be found there.
    • Disable or limit antivirus software if able
      • The Splunk Enterprise indexing subsystem requires high disk throughput. Any software with a device driver that intermediates between Splunk Enterprise and the operating system can restrict processing power available to Splunk Enterprise, causing slowness and even an unresponsive system. This includes anti-virus software.
      • You must configure such software to avoid on-access scanning of Splunk Enterprise installation directories and processes before you start a Splunk installation.
    • Consider installing Splunk software into a directory with a short path name
      • By default, the Splunk MSI file installs the software to \Program Files\Splunk on the system drive (the drive that booted your Windows machine.) While this directory is fine for many Splunk software installations, it might be problematic for installations that run in distributed deployments or that employ advanced Splunk features such as search-head or indexer clustering.
      • The Windows API has a path limitation of MAX_PATH which Microsoft defines as 260 characters including the drive letter, colon, backslash, 256-characters for the path, and a null terminating character. Windows cannot address a file path that is longer than this, and if Splunk software creates a file with a path length that is longer than MAX_PATH, it cannot retrieve the file later. There is no way to change this configuration.
      • To work around this problem, if you know that the instance will be a member of a search head or indexer cluster, consider installing the software into a directory with a short path length, for example C:\Splunk or D:\SPL.
  • Begin the installation
    1. Copy the previously downloaded Splunk Enterprise Software from the Network Share to the target Splunk Heavy Forwarder system.
    2. To start the installer, double-click the splunk.msi file. The installer runs and displays the Splunk Enterprise Installer panel.
    3. To continue the installation, check the "Check this box to accept the License Agreement" checkbox. This activates the "Customize Installation" and "Next" buttons.
      • (Optional) If you want to view the license agreement, click View License Agreement.
      • Next Step - Installation Options

        The Windows installer gives you two choices: Install with the default installation settings, or configure all settings prior to installing. When you choose to install with the default settings, the installer does the following:

        `
        • Installs Splunk Enterprise in \Program Files\Splunk on the drive that booted your Windows machine.
        • Installs Splunk Enterprise with the default management and Web network ports.
        • Configures Splunk Enterprise to run as the Local System user.
        • Prompts you to create a Splunk administrator password. You must do this before installation can continue.
        • Creates a Start Menu shortcut for the software.
    • Continue with Customize Options
      1. Click Customize Options button.
      2. Click Change… to specify a different location to install Splunk Enterprise, or click Next to accept the default value.
      3. The installer displays the "Choose the user Splunk Enterprise should run as" panel. Select a user type and click Next.
        • If you selected the Local System user, proceed to Step 5. Otherwise, the installer displays the Logon Information: specify a username and password panel.
      4. Enter the Windows credentials that Splunk Enterprise uses to run on the machine and click Next.
        • These credentials are different from the Splunk administrator credentials that you create in the next step.
      5. Create credentials for the Splunk administrator user by entering a username and password that meets the minimum eligibility requirements as shown in the panel and click Next.
        • You must perform this action as the installation cannot proceed without your completing it. If you do not enter a username, the installer creates the admin user during the installation process.
      6. The installer displays the installation summary panel. Click Install to proceed with the installation.
      7. Click Finish. The installation completes, Splunk Enterprise starts and launches in a supported browser if you checked the appropriate box.
    • Or Continue With Default Options
      1. Click Next
      2. Enter the Windows credentials that Splunk Enterprise uses to run on the machine and click Next.
        • These credentials are different from the Splunk administrator credentials that you create in the next step.
      3. The installer displays the installation summary panel. Click Install to proceed with the installation.
      4. Click Finish. The installation completes, Splunk Enterprise starts and launches in a supported browser if you checked the appropriate box.
Install Splunk Heavy Forwarder on linux

You can install Splunk Enterprise on Linux using RPM or DEB packages or a tar file, depending on the version of Linux your host runs.

  • Tar file installation
    • What to know before installing with a tar file:
      • >Knowing the following items helps ensure a successful installation with a tar file:
        • Some non-GNU versions of tar might not have the -C argument available. In this case, to install in /opt/splunk, either cd to /opt or place the tar file in /opt before you run the tar command. This method works for any accessible directory on your host file system.
        • Splunk Enterprise does not create the splunk user. If you want Splunk Enterprise to run as a specific user, you must create the user manually before you install.
        • Confirm that the disk partition has enough space to hold the uncompressed volume of the data you plan to keep indexed.
    • Installation procedure:
      1. Expand the tar file into an appropriate directory using the tar command: 
        tar xvzf splunk_package_name.tgz

        The default installation directory is splunk in the current working directory. To install into /opt/splunk, use the following command:

        tar xvzf splunk_package_name.tgz -C /opt
  • RedHat RPM installation
    • RPM packages are available for Red Hat, CentOS, and similar versions of Linux.
    • The rpm package does not provide any safeguards when you use it to upgrade. While you can use the --prefix flag to install it into a different directory, upgrade problems can occur If the directory that you specified with the flag does not match the directory where you initially installed the software.
    • After installation, software package validation commands (such as rpm -Vp <rpm_file> might fail because of intermediate files that get deleted during the installation process. To verify your Splunk installation package, use the splunk validate files CLI command instead.
    1. Confirm that the RPM package you want is available locally on the target host.
    2. Verify that the Splunk Enterprise user account that will run the Splunk services can read and access the file.
    3. If needed, change permissions on the file. 
      chmod 644 splunk_package_name.rpm
    4. Invoke the following command to install the Splunk Enterprise RPM in the default directory /opt/splunk.
      rpm -i splunk_package_name.rpm
    5. (Optional) To install Splunk in a different directory, use the --prefix flag.
      rpm -i --prefix=/opt/new_directory splunk_package_name.rpm

    • Automate RPM installation with Red Hat Linux Kickstart

      • If you want to automate an RPM install with Kickstart, edit the kickstart file and add the following. 
        ./splunk start --accept-license
./splunk enable boot-start

        Note: The enable boot-start line is optional.

    Debian .DEB installation
    • Prerequisites to installation
      • You can install the Splunk Enterprise Debian package only into the default location, /opt/splunk.
      • This location must be a regular directory, and cannot be a symbolic link.
      • You must have access to the root user or have sudo permissions to install the package.
      • The package does not create environment variables to access the Splunk Enterprise installation directory. You must set those variables on your own.

      Note: If you need to install Splunk Enterprise somewhere else, or if you use a symbolic link for /opt/splunk, then use a tar file to install the software.

    • Installation procedure
      • Run the dpkg installer with the Splunk Enterprise Debian package name as an argument.
        dpkg -i splunk_package_name.deb

      Debian commands for showing installation status

      • Splunk package status: 
        dpkg --status splunk
      • List all packages: 
        dpkg --list

      Information on expected default shell and caveats for Debian shells

      • Splunk Enterprise expects you to run commands from the bash shell. It expects bash to be available from /bin/sh.
      • On later versions of Debian Linux (for example, Debian Squeeze), the default shell is the dash shell.
      • Using the dash shell can result in zombie processes - processes that have completed execution, yet remain in the process table and cannot be killed or removed.
      • If you run Debian Linux, consider changing your default shell to be bash.
  • Now that you have installed the Splunk Heavy Forwarder:
Enable Receiver Port on Splunk Heavy Forwarder

We will now cover the steps to enable and configure the Receiving Port on your Splunk Indexer(s) using the Splunk Web console.

  • You can skip the below steps if you already have the Receiving Port Port enabled on your Splunk Heavy or Gateway Forwarder System.
  • Configure a receiver using the command line:
    1. Open a shell prompt
    2. Change the path to $SPLUNK_HOME/bin
    3. Type:splunk enable listen <port> -auth <username>:<password>.
      • Replace <port> with the port you will specify for your Splunk Universal Forwarders (Default is 9997)
      • Replace <username> and <password> with the username and password you used when you installed Splunk on this instance.
      • Example: splunk enable listen 9997 -auth admin:mysecretpassword
    4. Do Not Restart until all the Steps listed in the left panel have been completed.
    5. Proceed to the next Preparation Item.
  • OR Configure a receiver port using the Splunk UI:
    1. Log into Splunk Web on your Splunk Heavy/Gateway Forwarder as a user with the admin role.
    2. In Splunk Web, go to Settings > Forwarding and receiving.
    3. Select "Configure receiving."
    4. Verify if there are existing receiver ports open. You cannot create a duplicate receiver port. The conventional receiver port on indexers is port 9997.
    5. Select "New Receiving Port."
    6. Add a port number (default is 9997)
    7. Click the Save button.
Install the Splunk Cloud Credentials App

We will now cover the steps to install the Splunk Cloud Credentials Application on the Splunk Heavy Forwarder.

  • Click the cloud icon for a Diagram
  • If you didn't previously download the Splunk Cloud Credentials App Click for instructions.
  • If you already have the Splunk Cloud Credentials App installed on your Splunk Heavy Forwarder, then skip to this step.
  1. In a separate browser tab, login to your Splunk Heavy Forwarder instance with an user that has the admin role.
  2. Navigate to Apps menu dropdown > Manage Applications
  3. Click Install From File.
  4. In the pop directory window, go to the Network Share where you downloaded the Universal Forwarder Credentials application, and click on the splunkclouduf.spl file
  5. Click the Upload button to install the Splunk Cloud Credentials application on the Heavy Forwarder Instance.
  6. Follow the prompts to complete the installation.
  7. Click Restart Later. Don't Restart the Splunk Instance until after you have completed all of the remaining Preparation Tasks listed in the left panel.
Install the Splunk Add-On for Microsoft Windows App

We will now cover the steps to install the Splunk Add-On for Microsoft Windows App Application on the Splunk Heavy Forwarder.

  • If you already have the Splunk Add-Ons for Microsoft Windows installed on your Splunk Heavy Forwarder, then skip to this step.
  1. In a separate browser tab, login to your Splunk Heavy Forwarder instance with an user that has the admin role.
  2. Navigate to Apps menu dropdown > Manage Applications
  3. Click Install From File.
  4. In the pop directory window, go to the Network Share where you downloaded the Splunk_TA_windows application, and click on the Splunk_TA_windows.spl file
  5. Click the Upload button to install the Splunk Add-On for Microsoft Windows application on the Heavy Forwarder Instance.
  6. Follow the prompts to complete the installation.
  7. Click Restart Later. Don't Restart the Splunk Instance until after you have completed all of the remaining Preparation Tasks listed in the left panel.
Pre-Defined TA Configuration: Copy App(s) to Network Share for manually deploying to the Splunk Universal Forwarders.

Complete the below 5 steps while leveraging the table above each step for guidance.

Network Share - Create Folders
  • \\Network_Share
    • ...\Splunk UF TAs
      • ...\Base Windows
      • ...\Domain Controllers
      • ...\AD admon Monitor
  1. Using a terminal/file explorer, navigate to the \\Network_Share\ directory
  2. Create a new folder with the name Splunk UF TAs
  3. Navigate into the Splunk UF TAs Folder.
  4. Create the following 3 folders directly under the Splunk UF TAs folder.
    • Base Windows
    • Domain Controllers
    • AD admon Monitor

Downloaded TA Copy Location

\\Network_Share\Splunk UF TAs
  • ...\Downloaded TA Location
    • ...\Splunk_TA_windows
  • \\Network_Share
    • ...\Splunk UF TAs
      • ...\Base Windows
  1. Using a terminal/file explorer, navigate to the location where you previously downloaded the Splunk Add-On for Microsoft Windows (Splunk_TA_windows) application.
  2. Copy the complete Splunk_TA_windows directory and past it into \\Network_Share\Splunk UF TAs\Base Windows directory.
  • If you didn't previously download the Splunk Add-On for Microsoft Windows then Click to download it locally
  • Extract the downloaded file and copy the extracted Splunk_TA_windows to the \\Network_Share\Splunk UF TAs\Base Windows\ directory.

Downloaded TA Copy Location

\\Network_Share\Splunk UF TAs\Base Windows\Splunk_TA_windows
  • ...\Downloaded TA Location
    • ...\ms_ad_obj_ta_examples
      • ...\Splunk_TA_windows_local_only
        • ...\local\...
  • \\Network_Share
    • ...\Splunk UF TAs
      • ...\Base_Windows
        • ...\Splunk_TA_windows
  1. Using a terminal/file explorer, navigate to the location where you previously downloaded and extracted the MS AD Windows Objects TA Examples (ms_ad_obj_ta_examples.zip) file.
  2. Navigate into the ...\ms_ad_obj_ta_examples\Splunk_TA_windows_local_only\ directory.
  3. Copy the complete \local directory
  4. Paste it into the \\Network_Share\Splunk UF TAs\Base Windows\Splunk_TA_windows\ directory
  5. (Optional) Customize the following pre-defined inputs.conf.
  • If you didn't previously download the Splunk Add-On for Microsoft Windows then Click to download it locally
  • Extract the downloaded file and copy the extracted Splunk_TA_windows to the \\Network_Share\Splunk UF TAs\Base Windows\ directory.

\\Network_Share\Splunk UF TAs\Base Windows\Splunk_TA_windows

\\Network_Share\Splunk UF TAs\Domain Controllers\
  • \\Network_Share
    • ...\Splunk UF TAs
      • ...\Base Windows
        • ...\Splunk_TA_windows
  • \\Network_Share
    • ...\Splunk UF TAs
      • ...\Domain Controllers\
  1. Navigate into the ...\ms_ad_obj_ta_examples\ directory.
  2. Copy the complete Splunk_TA_windows_dc directory.
  3. Paste it into the \\Network_Share\Splunk UF TAs\Domain Controllers\ directory.
  5. (Optional) Customize the following pre-defined inputs.conf.

Downloaded TA Copy Location

\\Network_Share\Splunk UF TAs\
  • \\Downloaded TA Copy Location
    • ...\ms_ad_obj_ta_examples
      • ...\Splunk_TA_windows_admin
  • \\Network_Share
    • ...\Splunk UF TAs
      • ...\Domain Controllers\
  1. Navigate into the ...\ms_ad_obj_ta_examples\ directory.
  2. Copy the complete Splunk_TA_windows_admon directory.
  3. Paste it into the \\Network_Share\Splunk UF TAs\AD admon Monitoring\ directory.
  5. (Optional) Customize the following pre-defined inputs.conf.

Validate Configuration: Review the below table to verify the results from the above steps match the listed deployment-apps/ directory.

Target \\Network_Share\Splunk UF TAs\
  • ...\Splunk UF TAs\Base Windows
    • ...\Splunk_TA_windows
  • ...\Splunk UF TAs\Domain Controllers
    • ...\Splunk_TA_windows
    • ...\Splunk_TA_windows_dc
  • ...\Splunk UF TAs\AD Admon Monitoring
    • ...\Splunk_TA_windows_admon
Important Upgrade Configuration: Adjust or verify Splunk Knowledge Objects

Review the Autocheck Results and follow the below steps to update the appropriate Macro's that are now being leveraged for pointing to specific indexes. This replaces the previous version's use of eventtypes.

Auto Check Information:
  • An autocheck search was executed to check if the defined indexes in the required macros are available (created).
  • All of the indexes that are defined in the below macro's have been found. Although, it is still recommended to review the table below to make sure the created indexes align with the correct Data Type for each macro.
  • Review the below Troubleshooting Steps:
    • If created different index names for your Windows/Active Directory data, then follow the Adjusting the Macros used by the MS AD Windows Objects steps below.
    • Troubleshooting Steps if you created the recommended indexes (wineventlog,perfmon,msad,windows)

      Verify Role Index Permissions:

      1. Click Review Roles to open the Roles page
      2. Click on the Role(s) that is associated with your account
      3. Click on the 3. Indexes Link
      4. Verify that the Default box is selected for each of the created indexes (wineventlog,perfmon,msad,windows)
      5. Click Save and Click the Rerun Autocheck button below to rerun the autocheck and update the results
        • If it is still showing errors after running the above, and you are sure you created the default indexes, then you can proceed to the next Preparation item
    • Click Rerun Autocheck to rerun the autocheck if you completed the above troubleshooting, or the below preparation steps below.
Macro to Index Definitions:

Adjusting the Macros used by the MS AD Windows Objects

  1. Click Macro Settings to open the settings page for the macros or click on the individual macro names below, to adjust the macro definition.
  2. Use the below list to match up the custom indexes you created for your windows data with the appropriate macro:
  3. Click on the individual macro links to update the definition with your aligned custom indexes (Using OR for mulitple indexes. Ex. index=winosevt OR index=winossecurityevt).
  4. Click Save after adjusting each of the above macros.
  5. Click Rerun Autocheck to rerun the autocheck search to validate your changes.
  6. After adjusting the macros and verifying the changes, proceed to the next Preparation item.
Download and Compare MS AD Windows Objects TA Examples
- These pre-defined inputs and TA's are configured to help get you started with optimal, recommended, input settings to getting Windows Data into your Splunk Environment.

Use the below buttons to view the settings of the downloaded TA Examples, for comparing against currently deployed Windows inputs.

  • Base Windows Pre-Defined Inputs: to review the configured settings of the Base Windows Example TA's.
  • Active Directory Pre-Defined Inputs: to review the configured settings of the Active Directory Example TA's.

Category

Description

Knowledge Objects Update

Update the appropriate Macro's that are now being leveraged for pointing to specific indexes. This replaces the previous version's use of eventtypes.

Group Membership (memberOf) Update

  • To make the underlying searches and lookups more efficient, the memberOf field will no longer be maintained in the AD_Obj_User/AD_Obj_Computer/AD_Obj_Group lookups.
  • Instead the AD_Obj_Group lookup will maintain the member field, which contains the group membership for the specific group
  • To retrieve an individual User/Computer/Group group membership, you can use the lookup command to retrieve the objects membership. See the below example search:
    • lookup command: Ex. | inputlookup AD_Obj_User WHERE sAMAccountName="test_user" | lookup AD_Obj_Group member AS dn OUTPUT dn AS memberOf

Lookup Table Updates

The MS Windows AD Objects application now uses the KVStore for its lookups tables. Review the below list to see the previous version, which used csv files, to the new version:

Previous csv Lookup
KVStore Lookup
Lookup Table Description
AD_Domain_Selector AD_Obj_Domain

This lookup contains the AD Domain(s) DNS, NetBios, Site, Forest information, collected by the [powershell://AD-Health] OR [script://.\bin\runpowershell.cmd nt6-health.ps1] data input on an AD Domain Controller.
AD_User_LDAP_list AD_Obj_User

This lookup contains the AD User collected, and updated, Attributes.
AD_Groups_LDAP_list AD_Obj_Group

This lookup contains the AD Group collected, and updated, Attributes.
AD_Computer_LDAP_list AD_Obj_Computer

This lookup contains the AD Computer collected, and updated, Attributes.
AD_OU_LDAP_list AD_Obj_OU

This lookup contains the AD Organizational Unit and Container collected, and updated, Attributes.
AD_GroupPolicies_LDAP_list AD_Obj_GPO

This lookup contains the AD Group Policies collected, and updated, Attributes.
AD_Admin_Audit_list AD_Obj_Admin_Audit

This lookup contains a list of Administrators, and their AD Attributes. Administrators are determined by source user (src_user) accounts that make changes to AD Objects other than their own account.