SlideShare a Scribd company logo

Ms app 1.5.1-msinfra-bestpracticesguide

ā€¢
ā€¢
wardell henley
wardell henley

msinfra-bestpracticesguide

Technology
1 of 5
Download to read offline
SplunkĀ® App for Windows Infrastructure Deploy and Use the Splunk App for Windows Infrastructure 1.5.1 Best practices guide Generated: 1/01/2019 2:25 pm Copyright (c) 2019 Splunk Inc. All Rights Reserved
Best practices guide Splunk has put together this Best Practices in the course of developing and using the Splunk App for Windows Infrastructure. You can expect continued updates to this guide as we update the app with feedback from our customers and partners. General Synchronize clocks on all hosts To ensure that the Splunk App for Windows Infrastructure sees all data coming in from the hosts in your Exchange environment, confirm that those hosts have their clocks synchronized. On Windows hosts, use the Windows Time service to synchronize with an available Network Time Protocol (NTP) host. ā€¢ On *nix hosts (if you use *nix hosts to host the Splunk App for Windows Infrastructure), use the ntpd client to synchronize with an available NTP host. ā€¢ Note: The Windows Time service is not a full-fledged NTP client and Microsoft neither guarantees nor supports the accuracy of the service. Active Directory Below are some best practices for tuning Active Directory monitoring operations for the Splunk App for Windows Infrastructure. You must make these changes inside the universal forwarders that you have installed on the AD domain controllers in your environment. ā€¢ You must define the changes within the Splunk_TA_microsoft_ad add-on that you install into the universal forwarder. ā€¢ If you use a Splunk Enterprise deployment server, create server classes that deploy the add-ons with these updated configurations. Otherwise, make these changes after you have deployed the add-ons into the universal forwarders on the domain controllers. ā€¢ Once you update configurations, you must restart the universal forwarders on each domain controller for the new changes to take effect. ā€¢ 1
Consider not including a baseline for Active Directory data collection You don't need to collect a baseline - or dump - of your Active Directory schema to use with the Splunk App for Windows Infrastructure. In fact, doing so can significantly increase the memory usage footprint on your domain controllers and your Splunk indexing volume. Unless you specifically need a baseline of your AD schema, consider turning it off. Open %SPLUNK_HOME%etcappsSplunk_TA_microsoft_ad<version>localinputs.conf for editing. 1. Modify the main admon stanza: [admon://NearestDC] disabled = 0 baseline = 0 2. Consider disabling the Active Directory monitoring input on all but a select group of domain controllers When you collect Active Directory data for the Splunk App for Windows Infrastructure, it is not necessary to enable the Active Directory monitoring input (admon) on every domain controller in your Exchange environment. If you have a number of domain controllers, consider selecting one (or two to three for redundancy) and enabling the admon inputs only on those hosts. You should still install the Splunk_TA_microsoft_ad add-on into each domain controller. You should also install the Splunk Add-on for Windows (Splunk_TA_Windows) onto the host to get all other Windows data for the host into the Splunk App for Windows Infrastructure. To configure active directory monitoring on a specific domain controller, open %SPLUNK_HOME%etcappsSplunk_TA_microsoft_adlocalinputs.conf for editing. 1. In the file, disable the main admon stanza. [admon://NearestDC] disabled = 1 2. Create a new Active Directory monitoring stanza and set the targetDc attribute to the NetBIOS name of the controller on which you want to run admon. For example, if the host on which you want to run admon is named SF-DC2, configure a new admon stanza like the following: 3. 2
[admon://ADMonitoring] targetDc = SF-DC2 monitorSubtree = 1 baseline = 0 index = msad disabled = 0 Consider specifying a domain controller for Security Event Log Security ID (SID) translations The Splunk Enterprise event log monitor translates security identifiers (SIDs) by default for the Security Event Log. Translation turns SIDs (the very long string that begins with S-1-5-21 and ends with a long jumble of numbers) into friendly account names. The Splunk App for Windows Infrastructure does not need SID translation in the Security Event Log. This is because Active Directory events already contain this information. To reduce the amount of memory that domain controllers use to perform SID translation, configure the Splunk Add-on for Windows (Splunk_TA_Windows) to disable SID translation. To disable SID translation, open %SPLUNK_HOME%etcappsSplunk_TA_Windowslocalinputs.conf for editing. 1. In this file, modify the Security Event Log stanza. [WinEventLog://Security] evt_resolve_ad_obj = 0 2. If you require SID translation, you can limit both its scope and where it occurs by setting the current_only and evt_dc_name attributes: [WinEventLog://Security] evt_dc_name = SF-DC2 # only use SF-DC2 to translate SIDs current_only = 1 # only translate SIDs for events that come in for new events Consider limiting AD object access events to reduce impact on license usage When you enable auditing on your AD domain controllers, the DCs create Security Event Code 4662 events each time a user accesses any kind of AD object. (On Windows Server 2003 and Server 2003 R2, the event code is 566). This can greatly impact license volume and potentially cause violations. 3
To address the problem, limit the indexing of these event codes by blacklisting some of the events which contain them (the app uses the events for Group Policy monitoring but no other purpose.) This procedure requires that you use Splunk universal forwarder version 6.1 or later. If you cannot use this version of the universal forwarder, then this strategy does not apply to you. 4

Recommended

Big Data Platform Deployment Architecture
Big Data Platform Deployment ArchitectureBig Data Platform Deployment Architecture
Big Data Platform Deployment Architecture
David Ko
Ā 
Kubernetes and Helm 101
Kubernetes and Helm 101Kubernetes and Helm 101
Kubernetes and Helm 101
Kirill Zonov
Ā 
Cloud and Ubiquitous Computing manual
Cloud and Ubiquitous Computing manual Cloud and Ubiquitous Computing manual
Cloud and Ubiquitous Computing manual
Sonali Parab
Ā 
Meteor Boulder meetup #1
Meteor Boulder meetup #1Meteor Boulder meetup #1
Meteor Boulder meetup #1
Robert Dickert
Ā 
Pivotal Cloud Foundry 2.6: A First Look
Pivotal Cloud Foundry 2.6: A First LookPivotal Cloud Foundry 2.6: A First Look
Pivotal Cloud Foundry 2.6: A First Look
VMware Tanzu
Ā 
Pivotal Cloud Foundry 2.5: A First Look
Pivotal Cloud Foundry 2.5: A First LookPivotal Cloud Foundry 2.5: A First Look
Pivotal Cloud Foundry 2.5: A First Look
VMware Tanzu
Ā 
Creating a Scheduled Backup and Replicating System Folders Introduct.docx
Creating a Scheduled Backup and Replicating System Folders Introduct.docxCreating a Scheduled Backup and Replicating System Folders Introduct.docx
Creating a Scheduled Backup and Replicating System Folders Introduct.docx
williejgrant41084
Ā 
Practical solutions for connections administrators
Practical solutions for connections administratorsPractical solutions for connections administrators
Practical solutions for connections administrators
Sharon James
Ā 

Recommended

Big Data Platform Deployment Architecture
Big Data Platform Deployment ArchitectureBig Data Platform Deployment Architecture
Big Data Platform Deployment Architecture
David Ko
Ā 
Kubernetes and Helm 101
Kubernetes and Helm 101Kubernetes and Helm 101
Kubernetes and Helm 101
Kirill Zonov
Ā 
Cloud and Ubiquitous Computing manual
Cloud and Ubiquitous Computing manual Cloud and Ubiquitous Computing manual
Cloud and Ubiquitous Computing manual
Sonali Parab
Ā 
Meteor Boulder meetup #1
Meteor Boulder meetup #1Meteor Boulder meetup #1
Meteor Boulder meetup #1
Robert Dickert
Ā 
Pivotal Cloud Foundry 2.6: A First Look
Pivotal Cloud Foundry 2.6: A First LookPivotal Cloud Foundry 2.6: A First Look
Pivotal Cloud Foundry 2.6: A First Look
VMware Tanzu
Ā 
Pivotal Cloud Foundry 2.5: A First Look
Pivotal Cloud Foundry 2.5: A First LookPivotal Cloud Foundry 2.5: A First Look
Pivotal Cloud Foundry 2.5: A First Look
VMware Tanzu
Ā 
Creating a Scheduled Backup and Replicating System Folders Introduct.docx
Creating a Scheduled Backup and Replicating System Folders Introduct.docxCreating a Scheduled Backup and Replicating System Folders Introduct.docx
Creating a Scheduled Backup and Replicating System Folders Introduct.docx
williejgrant41084
Ā 
Practical solutions for connections administrators
Practical solutions for connections administratorsPractical solutions for connections administrators
Practical solutions for connections administrators
Sharon James
Ā 
NTC/326 ENTIRE CLASS UOP TUTORIALS
NTC/326 ENTIRE CLASS UOP TUTORIALSNTC/326 ENTIRE CLASS UOP TUTORIALS
NTC/326 ENTIRE CLASS UOP TUTORIALS
Sharon Reynolds
Ā 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017
Mohamad Hassan
Ā 
How to build a Oracle cloud adapter SOA, Integration & API's
How to build a Oracle cloud adapter SOA, Integration & API'sHow to build a Oracle cloud adapter SOA, Integration & API's
How to build a Oracle cloud adapter SOA, Integration & API's
Getting value from IoT, Integration and Data Analytics
Ā 
How to build a cloud adapter
How to build a cloud adapterHow to build a cloud adapter
How to build a cloud adapter
Maarten Smeets
Ā 
Manual Sophos
Manual SophosManual Sophos
Manual Sophos
Olavo Dalcorso
Ā 
What's new in p2 (2009)?
What's new in p2 (2009)?What's new in p2 (2009)?
What's new in p2 (2009)?
Pascal Rapicault
Ā 
6048618 cloning-procedure-of-r12-single-tier
6048618 cloning-procedure-of-r12-single-tier6048618 cloning-procedure-of-r12-single-tier
6048618 cloning-procedure-of-r12-single-tier
balaji29
Ā 
Cloud Composer workshop at Airflow Summit 2023.pdf
Cloud Composer workshop at Airflow Summit 2023.pdfCloud Composer workshop at Airflow Summit 2023.pdf
Cloud Composer workshop at Airflow Summit 2023.pdf
Leah Cole
Ā 
Pandora FMS: DB2 Enterprise Plugin
Pandora FMS: DB2 Enterprise PluginPandora FMS: DB2 Enterprise Plugin
Pandora FMS: DB2 Enterprise Plugin
Pandora FMS
Ā 
IUG ATL PC 9.5
IUG ATL PC 9.5IUG ATL PC 9.5
IUG ATL PC 9.5
Rizwan Mohammed
Ā 
Twelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application ArchitectureTwelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application Architecture
Sigfred Balatan Jr.
Ā 
Create your oracle_apps_r12_lab_with_less_than_us1000
Create your oracle_apps_r12_lab_with_less_than_us1000Create your oracle_apps_r12_lab_with_less_than_us1000
Create your oracle_apps_r12_lab_with_less_than_us1000
Ajith Narayanan
Ā 
Readme
ReadmeReadme
Readme
rec2006
Ā 
SharePoint 2013 SP1 Deployment for OneDrive use ā€“ Step by Step [Small]
SharePoint 2013 SP1 Deployment for OneDrive use ā€“ Step by Step [Small]SharePoint 2013 SP1 Deployment for OneDrive use ā€“ Step by Step [Small]
SharePoint 2013 SP1 Deployment for OneDrive use ā€“ Step by Step [Small]
Levi Ustinov
Ā 
Clockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptxClockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptx
Vikram Kumar Yadav
Ā 
Oracle Solaris 11_Overview and Design Guide.pptx
Oracle Solaris 11_Overview and Design Guide.pptxOracle Solaris 11_Overview and Design Guide.pptx
Oracle Solaris 11_Overview and Design Guide.pptx
SaeidVarmazyar
Ā 
MS Cloud Day - Deploying and monitoring windows azure applications
MS Cloud Day - Deploying and monitoring windows azure applicationsMS Cloud Day - Deploying and monitoring windows azure applications
MS Cloud Day - Deploying and monitoring windows azure applications
Spiffy
Ā 
Oracle bi 10g_install_migration
Oracle bi 10g_install_migrationOracle bi 10g_install_migration
Oracle bi 10g_install_migration
Mlx Le
Ā 
IIS Web Ecosystem
IIS Web EcosystemIIS Web Ecosystem
IIS Web Ecosystem
Kenny Abdiel Maita
Ā 
Best ofmms kb_final
Best ofmms kb_finalBest ofmms kb_final
Best ofmms kb_final
Dieter Wijckmans
Ā 
RP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfRP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdf
wardell henley
Ā 
mita_overview.pdf
mita_overview.pdfmita_overview.pdf
mita_overview.pdf
wardell henley
Ā 

More Related Content

Similar to Ms app 1.5.1-msinfra-bestpracticesguide

How to build a cloud adapter
How to build a cloud adapterHow to build a cloud adapter
How to build a cloud adapter
Maarten Smeets
Ā 
6048618 cloning-procedure-of-r12-single-tier
6048618 cloning-procedure-of-r12-single-tier6048618 cloning-procedure-of-r12-single-tier
6048618 cloning-procedure-of-r12-single-tier
balaji29
Ā 
SharePoint 2013 SP1 Deployment for OneDrive use ā€“ Step by Step [Small]
SharePoint 2013 SP1 Deployment for OneDrive use ā€“ Step by Step [Small]SharePoint 2013 SP1 Deployment for OneDrive use ā€“ Step by Step [Small]
SharePoint 2013 SP1 Deployment for OneDrive use ā€“ Step by Step [Small]
Levi Ustinov
Ā 
MS Cloud Day - Deploying and monitoring windows azure applications
MS Cloud Day - Deploying and monitoring windows azure applicationsMS Cloud Day - Deploying and monitoring windows azure applications
MS Cloud Day - Deploying and monitoring windows azure applications
Spiffy
Ā 
Oracle bi 10g_install_migration
Oracle bi 10g_install_migrationOracle bi 10g_install_migration
Oracle bi 10g_install_migration
Mlx Le
Ā 

Similar to Ms app 1.5.1-msinfra-bestpracticesguide (20)

NTC/326 ENTIRE CLASS UOP TUTORIALS
NTC/326 ENTIRE CLASS UOP TUTORIALSNTC/326 ENTIRE CLASS UOP TUTORIALS
NTC/326 ENTIRE CLASS UOP TUTORIALS
Ā 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017
Ā 
How to build a Oracle cloud adapter SOA, Integration & API's
How to build a Oracle cloud adapter SOA, Integration & API'sHow to build a Oracle cloud adapter SOA, Integration & API's
How to build a Oracle cloud adapter SOA, Integration & API's
Ā 
How to build a cloud adapter
How to build a cloud adapterHow to build a cloud adapter
How to build a cloud adapter
Ā 
Manual Sophos
Manual SophosManual Sophos
Manual Sophos
Ā 
What's new in p2 (2009)?
What's new in p2 (2009)?What's new in p2 (2009)?
What's new in p2 (2009)?
Ā 
6048618 cloning-procedure-of-r12-single-tier
6048618 cloning-procedure-of-r12-single-tier6048618 cloning-procedure-of-r12-single-tier
6048618 cloning-procedure-of-r12-single-tier
Ā 
Cloud Composer workshop at Airflow Summit 2023.pdf
Cloud Composer workshop at Airflow Summit 2023.pdfCloud Composer workshop at Airflow Summit 2023.pdf
Cloud Composer workshop at Airflow Summit 2023.pdf
Ā 
Pandora FMS: DB2 Enterprise Plugin
Pandora FMS: DB2 Enterprise PluginPandora FMS: DB2 Enterprise Plugin
Pandora FMS: DB2 Enterprise Plugin
Ā 
IUG ATL PC 9.5
IUG ATL PC 9.5IUG ATL PC 9.5
IUG ATL PC 9.5
Ā 
Twelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application ArchitectureTwelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application Architecture
Ā 
Create your oracle_apps_r12_lab_with_less_than_us1000
Create your oracle_apps_r12_lab_with_less_than_us1000Create your oracle_apps_r12_lab_with_less_than_us1000
Create your oracle_apps_r12_lab_with_less_than_us1000
Ā 
Readme
ReadmeReadme
Readme
Ā 
SharePoint 2013 SP1 Deployment for OneDrive use ā€“ Step by Step [Small]
SharePoint 2013 SP1 Deployment for OneDrive use ā€“ Step by Step [Small]SharePoint 2013 SP1 Deployment for OneDrive use ā€“ Step by Step [Small]
SharePoint 2013 SP1 Deployment for OneDrive use ā€“ Step by Step [Small]
Ā 
Clockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptxClockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptx
Ā 
Oracle Solaris 11_Overview and Design Guide.pptx
Oracle Solaris 11_Overview and Design Guide.pptxOracle Solaris 11_Overview and Design Guide.pptx
Oracle Solaris 11_Overview and Design Guide.pptx
Ā 
MS Cloud Day - Deploying and monitoring windows azure applications
MS Cloud Day - Deploying and monitoring windows azure applicationsMS Cloud Day - Deploying and monitoring windows azure applications
MS Cloud Day - Deploying and monitoring windows azure applications
Ā 
Oracle bi 10g_install_migration
Oracle bi 10g_install_migrationOracle bi 10g_install_migration
Oracle bi 10g_install_migration
Ā 
IIS Web Ecosystem
IIS Web EcosystemIIS Web Ecosystem
IIS Web Ecosystem
Ā 
Best ofmms kb_final
Best ofmms kb_finalBest ofmms kb_final
Best ofmms kb_final
Ā 

More from wardell henley

Enterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20securityEnterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20security
wardell henley
Ā 

More from wardell henley (20)

RP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfRP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdf
Ā 
mita_overview.pdf
mita_overview.pdfmita_overview.pdf
mita_overview.pdf
Ā 
Landscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdfLandscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdf
Ā 
Facets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdfFacets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdf
Ā 
self_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdfself_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdf
Ā 
Itil a guide to cab meetings pdf
Itil a guide to cab meetings pdfItil a guide to cab meetings pdf
Itil a guide to cab meetings pdf
Ā 
Mn bfdsprivacy
Mn bfdsprivacyMn bfdsprivacy
Mn bfdsprivacy
Ā 
9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmp9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmp
Ā 
It security cert_508
It security cert_508It security cert_508
It security cert_508
Ā 
15466 mba technology_white_paper
15466 mba technology_white_paper15466 mba technology_white_paper
15466 mba technology_white_paper
Ā 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_training
Ā 
213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmen213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmen
Ā 
Soa security2
Soa security2Soa security2
Soa security2
Ā 
Cissp chapter-05ppt178
Cissp chapter-05ppt178Cissp chapter-05ppt178
Cissp chapter-05ppt178
Ā 
Enterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20securityEnterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20security
Ā 
3 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp013 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp01
Ā 
Splunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandardsSplunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandards
Ā 
IBM enterprise Content Management
IBM enterprise Content ManagementIBM enterprise Content Management
IBM enterprise Content Management
Ā 
oracle EBS
oracle EBSoracle EBS
oracle EBS
Ā 
5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper
Ā 

Recently uploaded

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
Ā 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(ā˜Žļø+971_581248768%)**%*]'#abortion pills for sale in dubai@
Ā 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
Ā 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Ā 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
Ā 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Ā 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
Ā 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
Ā 

Recently uploaded (20)

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Ā 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Ā 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
Ā 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
Ā 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Ā 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Ā 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
Ā 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Ā 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Ā 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Ā 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Ā 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Ā 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Ā 
Scaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organizationScaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organization
Ā 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Ā 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Ā 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Ā 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Ā 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Ā 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
Ā 

Ms app 1.5.1-msinfra-bestpracticesguide

  • 1. SplunkĀ® App for Windows Infrastructure Deploy and Use the Splunk App for Windows Infrastructure 1.5.1 Best practices guide Generated: 1/01/2019 2:25 pm Copyright (c) 2019 Splunk Inc. All Rights Reserved
  • 2. Best practices guide Splunk has put together this Best Practices in the course of developing and using the Splunk App for Windows Infrastructure. You can expect continued updates to this guide as we update the app with feedback from our customers and partners. General Synchronize clocks on all hosts To ensure that the Splunk App for Windows Infrastructure sees all data coming in from the hosts in your Exchange environment, confirm that those hosts have their clocks synchronized. On Windows hosts, use the Windows Time service to synchronize with an available Network Time Protocol (NTP) host. ā€¢ On *nix hosts (if you use *nix hosts to host the Splunk App for Windows Infrastructure), use the ntpd client to synchronize with an available NTP host. ā€¢ Note: The Windows Time service is not a full-fledged NTP client and Microsoft neither guarantees nor supports the accuracy of the service. Active Directory Below are some best practices for tuning Active Directory monitoring operations for the Splunk App for Windows Infrastructure. You must make these changes inside the universal forwarders that you have installed on the AD domain controllers in your environment. ā€¢ You must define the changes within the Splunk_TA_microsoft_ad add-on that you install into the universal forwarder. ā€¢ If you use a Splunk Enterprise deployment server, create server classes that deploy the add-ons with these updated configurations. Otherwise, make these changes after you have deployed the add-ons into the universal forwarders on the domain controllers. ā€¢ Once you update configurations, you must restart the universal forwarders on each domain controller for the new changes to take effect. ā€¢ 1
  • 3. Consider not including a baseline for Active Directory data collection You don't need to collect a baseline - or dump - of your Active Directory schema to use with the Splunk App for Windows Infrastructure. In fact, doing so can significantly increase the memory usage footprint on your domain controllers and your Splunk indexing volume. Unless you specifically need a baseline of your AD schema, consider turning it off. Open %SPLUNK_HOME%etcappsSplunk_TA_microsoft_ad<version>localinputs.conf for editing. 1. Modify the main admon stanza: [admon://NearestDC] disabled = 0 baseline = 0 2. Consider disabling the Active Directory monitoring input on all but a select group of domain controllers When you collect Active Directory data for the Splunk App for Windows Infrastructure, it is not necessary to enable the Active Directory monitoring input (admon) on every domain controller in your Exchange environment. If you have a number of domain controllers, consider selecting one (or two to three for redundancy) and enabling the admon inputs only on those hosts. You should still install the Splunk_TA_microsoft_ad add-on into each domain controller. You should also install the Splunk Add-on for Windows (Splunk_TA_Windows) onto the host to get all other Windows data for the host into the Splunk App for Windows Infrastructure. To configure active directory monitoring on a specific domain controller, open %SPLUNK_HOME%etcappsSplunk_TA_microsoft_adlocalinputs.conf for editing. 1. In the file, disable the main admon stanza. [admon://NearestDC] disabled = 1 2. Create a new Active Directory monitoring stanza and set the targetDc attribute to the NetBIOS name of the controller on which you want to run admon. For example, if the host on which you want to run admon is named SF-DC2, configure a new admon stanza like the following: 3. 2
  • 4. [admon://ADMonitoring] targetDc = SF-DC2 monitorSubtree = 1 baseline = 0 index = msad disabled = 0 Consider specifying a domain controller for Security Event Log Security ID (SID) translations The Splunk Enterprise event log monitor translates security identifiers (SIDs) by default for the Security Event Log. Translation turns SIDs (the very long string that begins with S-1-5-21 and ends with a long jumble of numbers) into friendly account names. The Splunk App for Windows Infrastructure does not need SID translation in the Security Event Log. This is because Active Directory events already contain this information. To reduce the amount of memory that domain controllers use to perform SID translation, configure the Splunk Add-on for Windows (Splunk_TA_Windows) to disable SID translation. To disable SID translation, open %SPLUNK_HOME%etcappsSplunk_TA_Windowslocalinputs.conf for editing. 1. In this file, modify the Security Event Log stanza. [WinEventLog://Security] evt_resolve_ad_obj = 0 2. If you require SID translation, you can limit both its scope and where it occurs by setting the current_only and evt_dc_name attributes: [WinEventLog://Security] evt_dc_name = SF-DC2 # only use SF-DC2 to translate SIDs current_only = 1 # only translate SIDs for events that come in for new events Consider limiting AD object access events to reduce impact on license usage When you enable auditing on your AD domain controllers, the DCs create Security Event Code 4662 events each time a user accesses any kind of AD object. (On Windows Server 2003 and Server 2003 R2, the event code is 566). This can greatly impact license volume and potentially cause violations. 3
  • 5. To address the problem, limit the indexing of these event codes by blacklisting some of the events which contain them (the app uses the events for Group Policy monitoring but no other purpose.) This procedure requires that you use Splunk universal forwarder version 6.1 or later. If you cannot use this version of the universal forwarder, then this strategy does not apply to you. 4