Hello, Nice video. I am confused on what logs are being sent from your Ad controller to Splunk. How the forwarder select what type of logs he will forward? is it forwarding everything (all logs from server SRV-W2K19 ?) . Also, how Splunk determines the source type ? (you did not specify it on your inputs.conf) Thanks!
To choose the type of logs that a domain controller sends to the Splunk forwarder, you need to configure the input settings on the Universal Forwarder installed on the domain controller. Here are the general steps: 1. **Install the Splunk Universal Forwarder on the Domain Controller:** - Download and install the Splunk Universal Forwarder on your domain controller if it’s not already installed. 2. **Configure Inputs on the Forwarder:** - You need to define which logs you want to collect in the `inputs.conf` file. This file is typically located in the `$SPLUNK_HOME/etc/system/local/` directory on the forwarder. 3. **Edit the `inputs.conf` File:** - Open the `inputs.conf` file in a text editor and specify the types of logs you want to collect. For example, to collect Windows Event Logs, you can add entries like: [WinEventLog://Security] disabled = 0 index = your_index_name [WinEventLog://Application] disabled = 0 index = your_index_name [WinEventLog://System] disabled = 0 index = your_index_name - Adjust the `index` parameter to the name of the index where you want to store the logs in Splunk. 4. **Specify Additional Inputs if Needed:** - You can also collect other types of logs such as file-based logs or other event channels. For example, to collect logs from a specific file, you can add: [monitor://C:\path\to\your\logfile.log] disabled = 0 index = your_index_name sourcetype = your_sourcetype 5. **Restart the Splunk Forwarder:** - After making changes to the `inputs.conf` file, restart the Splunk Universal Forwarder to apply the changes. You can restart it using the command line: $SPLUNK_HOME/bin/splunk restart 6. **Verify Data Collection:** - Ensure that the data is being collected by checking the index in your Splunk instance. You can do this by running a search query in the Splunk search interface. index=your_index_name These steps should help you configure the type of logs your domain controller sends to the Splunk forwarder. Make sure you have appropriate permissions and follow security best practices when accessing and modifying configuration files on your domain controller.
Good job 👍
Did you got information like IP and hostname from that sourcetype?
Hello,
Nice video.
I am confused on what logs are being sent from your Ad controller to Splunk. How the forwarder select what type of logs he will forward? is it forwarding everything (all logs from server SRV-W2K19 ?) . Also, how Splunk determines the source type ? (you did not specify it on your inputs.conf)
Thanks!
To choose the type of logs that a domain controller sends to the Splunk forwarder, you need to configure the input settings on the Universal Forwarder installed on the domain controller. Here are the general steps:
1. **Install the Splunk Universal Forwarder on the Domain Controller:**
- Download and install the Splunk Universal Forwarder on your domain controller if it’s not already installed.
2. **Configure Inputs on the Forwarder:**
- You need to define which logs you want to collect in the `inputs.conf` file. This file is typically located in the `$SPLUNK_HOME/etc/system/local/` directory on the forwarder.
3. **Edit the `inputs.conf` File:**
- Open the `inputs.conf` file in a text editor and specify the types of logs you want to collect. For example, to collect Windows Event Logs, you can add entries like:
[WinEventLog://Security]
disabled = 0
index = your_index_name
[WinEventLog://Application]
disabled = 0
index = your_index_name
[WinEventLog://System]
disabled = 0
index = your_index_name
- Adjust the `index` parameter to the name of the index where you want to store the logs in Splunk.
4. **Specify Additional Inputs if Needed:**
- You can also collect other types of logs such as file-based logs or other event channels. For example, to collect logs from a specific file, you can add:
[monitor://C:\path\to\your\logfile.log]
disabled = 0
index = your_index_name
sourcetype = your_sourcetype
5. **Restart the Splunk Forwarder:**
- After making changes to the `inputs.conf` file, restart the Splunk Universal Forwarder to apply the changes. You can restart it using the command line:
$SPLUNK_HOME/bin/splunk restart
6. **Verify Data Collection:**
- Ensure that the data is being collected by checking the index in your Splunk instance. You can do this by running a search query in the Splunk search interface.
index=your_index_name
These steps should help you configure the type of logs your domain controller sends to the Splunk forwarder. Make sure you have appropriate permissions and follow security best practices when accessing and modifying configuration files on your domain controller.