Splunking Windows Environments

Splunk and Windows: So many add-ons so little time!

So there are lots of Splunk apps and add-ons out there when it comes to Windows.
So which ones do you choose?splunk-enterprise-windows

Well I’ve gathered the best ones that are all Splunk supported so you know you will get support and they will be kept up to date. These are the apps and add-ons for creating the foundation you can build on if you need to. They do a really good job of covering all
the usual check boxes when it comes to a Windows environment.

The first piece is to download the correct Splunk Universal Forwarder for your version
of Windows which now-a-days is just choosing 32 or 64 bit. Make sure it matches or exceeds the version of Splunk you have deployed.

splunk-app-for-windows-infrastructureSecond you need to download the main app from Splunk, the Splunk App for Windows Infrastructure. This app runs on the Search Head and is the one that aggregates and slices and dices the machine data from the add-ons so you can make sense of it all.

Third you need the Splunk Add-on for Microsoft Windows. It is this add-on that tells all the Splunk Universal Forwarders what to collect from the Windows OS.

Finally for Active Directory and of course DNS you need the Splunk Add-on for Microsoft Active Directory and the Splunk Add-on for Microsoft Windows DNS as well as the Splunk Support for Active Directory add-on.

The good news about each of these is that Splunk created them to work together and they ship with tons of sample dashboards and reports. The included items are very informative and a great place to start from and modify to fit your needs and they way you present the data that is gathered with Splunk.

I’ll go into more detail about each one and how they all fit together in a separate article.

Splunk Training Complete What’s Next?

Splunk IconSplunk Training Complete!

Last week I attended Splunk training and it was very informative and inspiring.
Not only was it instructor based but it was 4 classes combined into 5 days. The labs are very to the point and on topic. It was very educational and good time.


Now What?

I’m now preparing for the Splunk Certified Power User and the Splunk Certified Admin tests.I’m setting up a lab with an Ubuntu Linux OS for the single server install of Splunk. I plan to roll a few Windows Server and Desktop OSes to generate data. I’m going to install the Universal Forwarders on them and control their configs using Forwarder Management and a Deployment Server. I’ll be managing the data with the Splunk App for Windows Infrastructure and the Splunk Add-on for Microsoft Windows. They are basic methods to collect data from Windows using the Universal Forwarders. I know there are multiple other ways to collect data from a Windows environment like WMI and PowerShell scripts but I want to work with what Splunk has put together before I start using other methods. Also if you have never spoken to anyone who works with Splunk apparently the phrase “put the Universal Forwarder on it” is not a joke. They actually mean it. Yes you don’t have to put it on everything but they sure will tell you to!

Splunk-Template-Citrix-XenDesktopI’m also going to get Citrix XenDesktop installed on one of the Windows Server instances so I can deploy the Template for Citrix XenDesktop 7. I will use it to monitor an all in one install of XenDesktop 7.9. That is the latest and the greatest from Citrix so hopefully the app from Jason Conger will support it. He has been updating it so we’ll see. Since he is at Splunk now I wonder if I can get him when contacting Splunk support or even if I can convince Splunk to make it an officially support app?

It should be fun to see what metrics I can pull from the Citrix environment and a wonderful learning experience.