Introduction - MS Windows AD Objects - Getting Started and Data In Guide

The MS Windows AD Objects application leverages admon data for building and updating local AD Objects Splunk Lookups. These lookup files can be leveraged for looking up the latest (< 10 Minutes) AD attribute information of User, Groups, Group Policies, Organizational Units, and Computer AD objects. This app contains updated .conf files for the Splunk® for Windows Infrastructure for replacing the use of the Splunk® Support for Active Directory ldap queries in the searches/macros/pallete panels/dashboards to instead use the local Splunk AD Objects lookup files.

Getting Started and Data In Guide Information

What's in this Guide?
This Guide is specifically designed to help you not only configure the MS Windows Application, but also to help quickly get your Windows and Active Directory data in to Splunk.
To aligned the configuration steps to your Splunk Environment and Deplyoment needs, the 1. Scope Definition will collect some basic information about your environment and deployment plans.
How to use this Guide
Each Section Step of this guide builds on the previous Part, verify each of the previous steps or requirements have been completed before proceeding to the next Part.
Goals for the Guide
At the end, you will have your Windows/Active Directory data flowing into Splunk, have the MS Windows AD Objects application configured and well on your way to start leveraging the power of Splunk.
Useful Information
New to Splunk: If you are new to Splunk, it is recommended to specifically follow the steps outlined, and then once you become more familiar with Splunk you can adjust the different configurations, like data/indexes/etc.
Current Splunk Ninja: If you are Splunk Ninja, it is recommended to still walk through this guide to ensure the required MS Windows AD Objects application's configuration steps are completed.
Upgrading Pre-Version 4.0 - MS Windows AD Objects: If you are upgrading the MS Windows AD Objects application from a version prior to Version 4.0, it is Highly recommended you walk through this guide, because this version has numureous enhancements that you will both want to take advantage of, and make sure there is no impact to any custom created dashboards/reports in the previous version.

Guide Part Descriptions

Section Step 1: Scope Definition
Required: This step is used to align the subsequent steps with your environment and deployment plans.
Section Step 2: Preparation
Provides the preparation steps for the Splunk Core components, MS Windows AD Objects and TA Configuration.
Section Step 3: Deployment
Covers the steps for distributing the previously configured Splunk Technical Add-Ons to the target Windows Systems.
Section Step 4: Check Data
This section provides you a way of verifying, and troubleshooting previous configuration steps.
Section Step 5: Build Lookups
This last section walks through the the final step of building the MS Windows AD Object's lookup tables.
Section Step Navigation:
Use the Prev Next navigation buttons to progress through each Section or click on the Sections icon.
Click Here to view the Icon Legend for this guide

Application Architecture and Data Sources

Required Applications
Splunk Add-On for Windows (Splunk_TA_windows)
This TA (Technical Add-On) is for base Windows data collection
MS Windows AD Objects
The MS Windows AD Objects application provides over 50+ dashboards, and reports that primarily leverage admon(ActiveDirectory) build and updated in KV Store lookups.
Splunk Cloud UF App (Splunk Cloud™ Only)
You install this app on your forwarder, heavy forwarder, or on your deployment server, and it allows you to easily connect to Splunk Cloud.
  • The MS Windows AD Objects application provide pre-configured TA inputs for collecting windows and Active Directory data. These are provided to help get you started with best practices, but they can me adjusted for your specific needs. These Pre-defined TA's will be preceded by the icon in this guide ( Download TA Examples)
Splunk Core: Installed Applications

  • Splunk Cloud™ Managed Environment:

    • MS Windows AD Objects
    • Splunk Add-On for Windows (Splunk_TA_windows)
  • A cloud support ticket will need to be open to add the Splunk Windows Add-On for Windows to the Splunk Cloud Search Heads.
  • Make sure Sharing is set to Global for all eventtypes, macros, and field extractions.

  • Splunk® Enterprise:

    • Splunk Search Head:
      • MS Windows AD Objects
      • Splunk Add-On for Windows (Splunk_TA_windows)
    • Splunk Indexer:
      • Splunk Add-On for Windows (Splunk_TA_windows)

    • Splunk Heavy Forwarder:

      • Splunk_TA_windows

    • Splunk Deployment Server

      • Splunk_TA_windows (* Full App and local\inputs.conf)
      • Splunk_TA_windows_dc
      • Splunk_TA_windows_admon
Splunk Universal Forwarders: Applications

  • Windows Member Servers:

    • Splunk_TA_windows (* Full App and local\inputs.conf)

  • All Domain Controllers:

    • Splunk_TA_windows (* Full App and local\inputs.conf)
    • Splunk_TA_windows_dc

  • Admon Collection:

    • Only Deploy this TA to one AD Domain Controller per AD Domain
      • Splunk_TA_windows_admon
      • Note: If deploying to a Domain Controller the Splunk_TA_windows_admon will be deployed along with the Splunk_TA_windows and Splunk_TA_windows_dc that are specified in the All Domain Controllers section above.