![]() Best practice is that only one domain controller in an Active Directory domain or forest receives the add-on, with one or two other DCs receiving it as a backup. To configure TA-Windows v6.0.0, Please refer to Deploy and configure the Splunk Add-on for Windows version 6.0.0 or later.ĭeploy the Splunk Add-on for Microsoft Active Directory to a select group of domain controllersĬonsider the number of domain controllers that you deploy the Active Directory add-ons. Note: If you are using TA-Windows version 6.0.0 or later then you don't need TA_AD and TA_DNS, as they are merged with TA-Windows. The deployment server (the Splunk Enterprise instance that manages and updates configurations and apps for universal forwarders in a deployment) must be made aware of the Splunk Add-on for Microsoft Active Directory before you can send the add-on to deployment clients. You're working at a severe disadvantage here without the baseline Splunk know-how to configure an app, though, so it may not read very cleanly.Īnyway, I hope this helps! Text is kind of hard to really show this stuff through, unfortunately.Deploy the Splunk Add-on for Microsoft Active Directory These are the docs pages for that particular add-on. conf files teaching the UF how to read data (most importantly, nf). That windows add on that you installed on the UF is just a bundle of. Run the following search: index=_internal | stats count by host and you should see your forwarders' hostname as one of the hosts sending data.Īt that point, you can start teaching your UF how actually pick up the data sources you care about. This is what makes your indexer actually listen for data.Īt this point, you should be able to already see at least Splunk internal logs getting sent 'up the pipe'. If you don't see any entries, then click New Receiving Port (green button in the upper right) and add 9997. Next step, if you haven't already, log onto the GUI of your indexer, and go to Settings > Forwarding and Receiving > Configure Receiving. You should be able to confirm this by checking that there is some info in $SPLUNK_HOME/etc/system/local/nf (forgive my linux slashes). Like you said, during the initial setup process, the windows UF prompted you to enter in the info of the indexer you wanted to send data to. Okay, so forget about the add data > forward thing for now that's a whole layer of added complexity that you don't need to worry about.įirst step, make sure your UF is at least communicating with the Indexer. If your org will pay for it, I would very strongly recommend you take the Systems Administration and Data Administration classes from Splunk, in that order. So, what you will end up doing is putting more nf files on your forwarder to teach it what data sources to grab up and send up the chain. ![]() Once that is established, then you can teach your forwarder what sources of data to collect. getting a forwarder to send data to another Splunk instance (most likely directly to your indexer) requires an nf on the receiving side with stanza, and an nf on the forwarder side with and stanzas.AFTER that relationship is established, the add data > forward option would be available to you. deployment server deployment client relationship allows you to send apps (instruction bundles) to lots of forwards at once.Again, this is completely separate from that add data > forward option you were discussing, which is how you can send remote instructions to your UFs from a central node (deployment server) moving forward. That is going to get your UF to actually be able to send data to your indexer. This can be done multiple ways, but the easiest would be to go to $SPLUNK_HOME\bin on your forwarder and run splunk add forward-server $yourIndexer:9997 There's also really no such thing as adding a receiving forwarder on 9997, my guess is that you simply made your splunk Enterprise instance ready to receive data over 9997.ĮDIT: this next chunk, with the command, was accomplished when you 'added' the forwarder during setup based on the response you gave in the thread above What you also need is your UF to be able to send data to the indexer. The reason that didn't work is that you may have a UF up and ready, but that doesn't mean the same thing as making it a deployment client ready to receive instructions. This is the deployment server deployment client mechanism, and is a completely separate thing than having a forwarder forward info. Add Data > Forward is specifically referencing the way to create an input from your Enterprise GUI, and have those input instructions sent to your remote UF.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |