You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
34 lines
1.8 KiB
34 lines
1.8 KiB
# MS Windows AD Objects provided pre-defined - admon input
|
|
# - Custom Input Settings from the Splunk_TA_windows TA
|
|
#
|
|
# ---------------------------------------------------------------------------------------
|
|
# NOTE:
|
|
# *** This inputs.conf only contains the admon input, and should ONLY be placed
|
|
# on one Windows System per AD Domain, preferably on a Domain Controller,
|
|
# or it can be a member server. IF use a non-Domain Controller system, then the
|
|
# SplunkForwarder service needs to be running as an AD Account with read access
|
|
# to the target domain, and it is recommended to add the setting of targetDc
|
|
# with the value as an AD Domain Controllers Hostname.
|
|
# - For best performance running it from the local domain controller is the
|
|
# best option.
|
|
# ---------------------------------------------------------------------------------------
|
|
#
|
|
# Special Notes:
|
|
# - **Important:
|
|
# - The setting index=... has been added to the admon enabled input.
|
|
# Make sure you have created the msad index or you can specify a different index.
|
|
# - A baseline is create ONLY during the first iteration of data collection. So if you aren't seeing
|
|
# any sourcetype=ActiveDirectory admonEventType="Sync" data returned in your splunk search view, then:
|
|
# - 1. Stop the splunk Forwarder Service
|
|
# - 2. Using Windows File Explorer go to
|
|
# /SplunkUniversalForwarder/var/lib/splunk/persisstantstorage/AdMon directory.
|
|
# - 3. Delete all of the .ini's from this directory (ie default.ini, etc)
|
|
# - 4. Start the Splunk Forwarder Service
|
|
# ---------------------------------------------------------------------------------------
|
|
|
|
[admon://default]
|
|
disabled = 0
|
|
monitorSubtree = 1
|
|
baseline = 1
|
|
index=msad
|
|
#targetDc = enter hostname for a Domain Controller |