# MS Windows AD Objects provided pre-defined - admon input 
# - Custom Input Settings from the Splunk_TA_windows TA
#
#  --------------------------------------------------------------------------------------- 
#  NOTE: 
#        *** This inputs.conf only contains the admon input, and should ONLY be placed
#        on one Windows System per AD Domain, preferably on a Domain Controller, 
#		 or it can be a member server. IF use a non-Domain Controller system, then the 
#		 SplunkForwarder service needs to be running as an AD Account with read access
#		 to the target domain, and it is recommended to add the setting of targetDc 
#		 with the value as an AD Domain Controllers Hostname.   
#		     - For best performance running it from the local domain controller is the 
#			 best option.
#  ---------------------------------------------------------------------------------------
#
# Special Notes:
#    - **Important: 
#	    - The setting index=... has been added to the admon enabled input.  
#         Make sure you have created the msad index or you can specify a different index.
#    - A baseline is create ONLY during the first iteration of data collection.   So if you aren't seeing
#    any sourcetype=ActiveDirectory admonEventType="Sync" data returned in your splunk search view, then:
#        - 1. Stop the splunk Forwarder Service
#		 - 2. Using Windows File Explorer go to 
#			     /SplunkUniversalForwarder/var/lib/splunk/persisstantstorage/AdMon directory.
#        - 3. Delete all of the .ini's from this directory (ie default.ini, etc)
#        - 4. Start the Splunk Forwarder Service
#  ---------------------------------------------------------------------------------------

[admon://default]
disabled = 0
monitorSubtree = 1
baseline = 1
index=msad
#targetDc = enter hostname for a Domain Controller