SlideShare a Scribd company logo

Ms app 1.5.1-msinfra-bestpracticesguide

wardell henley
wardell henley

msinfra-bestpracticesguide

Technology
1 of 5
Download to read offline
Splunk® App for Windows Infrastructure Deploy and Use the Splunk App for Windows Infrastructure 1.5.1 Best practices guide Generated: 1/01/2019 2:25 pm Copyright (c) 2019 Splunk Inc. All Rights Reserved
Best practices guide Splunk has put together this Best Practices in the course of developing and using the Splunk App for Windows Infrastructure. You can expect continued updates to this guide as we update the app with feedback from our customers and partners. General Synchronize clocks on all hosts To ensure that the Splunk App for Windows Infrastructure sees all data coming in from the hosts in your Exchange environment, confirm that those hosts have their clocks synchronized. On Windows hosts, use the Windows Time service to synchronize with an available Network Time Protocol (NTP) host. • On *nix hosts (if you use *nix hosts to host the Splunk App for Windows Infrastructure), use the ntpd client to synchronize with an available NTP host. • Note: The Windows Time service is not a full-fledged NTP client and Microsoft neither guarantees nor supports the accuracy of the service. Active Directory Below are some best practices for tuning Active Directory monitoring operations for the Splunk App for Windows Infrastructure. You must make these changes inside the universal forwarders that you have installed on the AD domain controllers in your environment. • You must define the changes within the Splunk_TA_microsoft_ad add-on that you install into the universal forwarder. • If you use a Splunk Enterprise deployment server, create server classes that deploy the add-ons with these updated configurations. Otherwise, make these changes after you have deployed the add-ons into the universal forwarders on the domain controllers. • Once you update configurations, you must restart the universal forwarders on each domain controller for the new changes to take effect. • 1
Consider not including a baseline for Active Directory data collection You don't need to collect a baseline - or dump - of your Active Directory schema to use with the Splunk App for Windows Infrastructure. In fact, doing so can significantly increase the memory usage footprint on your domain controllers and your Splunk indexing volume. Unless you specifically need a baseline of your AD schema, consider turning it off. Open %SPLUNK_HOME%etcappsSplunk_TA_microsoft_ad<version>localinputs.conf for editing. 1. Modify the main admon stanza: [admon://NearestDC] disabled = 0 baseline = 0 2. Consider disabling the Active Directory monitoring input on all but a select group of domain controllers When you collect Active Directory data for the Splunk App for Windows Infrastructure, it is not necessary to enable the Active Directory monitoring input (admon) on every domain controller in your Exchange environment. If you have a number of domain controllers, consider selecting one (or two to three for redundancy) and enabling the admon inputs only on those hosts. You should still install the Splunk_TA_microsoft_ad add-on into each domain controller. You should also install the Splunk Add-on for Windows (Splunk_TA_Windows) onto the host to get all other Windows data for the host into the Splunk App for Windows Infrastructure. To configure active directory monitoring on a specific domain controller, open %SPLUNK_HOME%etcappsSplunk_TA_microsoft_adlocalinputs.conf for editing. 1. In the file, disable the main admon stanza. [admon://NearestDC] disabled = 1 2. Create a new Active Directory monitoring stanza and set the targetDc attribute to the NetBIOS name of the controller on which you want to run admon. For example, if the host on which you want to run admon is named SF-DC2, configure a new admon stanza like the following: 3. 2
[admon://ADMonitoring] targetDc = SF-DC2 monitorSubtree = 1 baseline = 0 index = msad disabled = 0 Consider specifying a domain controller for Security Event Log Security ID (SID) translations The Splunk Enterprise event log monitor translates security identifiers (SIDs) by default for the Security Event Log. Translation turns SIDs (the very long string that begins with S-1-5-21 and ends with a long jumble of numbers) into friendly account names. The Splunk App for Windows Infrastructure does not need SID translation in the Security Event Log. This is because Active Directory events already contain this information. To reduce the amount of memory that domain controllers use to perform SID translation, configure the Splunk Add-on for Windows (Splunk_TA_Windows) to disable SID translation. To disable SID translation, open %SPLUNK_HOME%etcappsSplunk_TA_Windowslocalinputs.conf for editing. 1. In this file, modify the Security Event Log stanza. [WinEventLog://Security] evt_resolve_ad_obj = 0 2. If you require SID translation, you can limit both its scope and where it occurs by setting the current_only and evt_dc_name attributes: [WinEventLog://Security] evt_dc_name = SF-DC2 # only use SF-DC2 to translate SIDs current_only = 1 # only translate SIDs for events that come in for new events Consider limiting AD object access events to reduce impact on license usage When you enable auditing on your AD domain controllers, the DCs create Security Event Code 4662 events each time a user accesses any kind of AD object. (On Windows Server 2003 and Server 2003 R2, the event code is 566). This can greatly impact license volume and potentially cause violations. 3
To address the problem, limit the indexing of these event codes by blacklisting some of the events which contain them (the app uses the events for Group Policy monitoring but no other purpose.) This procedure requires that you use Splunk universal forwarder version 6.1 or later. If you cannot use this version of the universal forwarder, then this strategy does not apply to you. 4

Recommended

Big Data Platform Deployment Architecture
Big Data Platform Deployment ArchitectureBig Data Platform Deployment Architecture
Big Data Platform Deployment ArchitectureDavid Ko
 
Kubernetes and Helm 101
Kubernetes and Helm 101Kubernetes and Helm 101
Kubernetes and Helm 101Kirill Zonov
 
Cloud and Ubiquitous Computing manual
Cloud and Ubiquitous Computing manual Cloud and Ubiquitous Computing manual
Cloud and Ubiquitous Computing manual Sonali Parab
 
Meteor Boulder meetup #1
Meteor Boulder meetup #1Meteor Boulder meetup #1
Meteor Boulder meetup #1Robert Dickert
 
Pivotal Cloud Foundry 2.6: A First Look
Pivotal Cloud Foundry 2.6: A First LookPivotal Cloud Foundry 2.6: A First Look
Pivotal Cloud Foundry 2.6: A First LookVMware Tanzu
 
Pivotal Cloud Foundry 2.5: A First Look
Pivotal Cloud Foundry 2.5: A First LookPivotal Cloud Foundry 2.5: A First Look
Pivotal Cloud Foundry 2.5: A First LookVMware Tanzu
 
Creating a Scheduled Backup and Replicating System Folders Introduct.docx
Creating a Scheduled Backup and Replicating System Folders Introduct.docxCreating a Scheduled Backup and Replicating System Folders Introduct.docx
Creating a Scheduled Backup and Replicating System Folders Introduct.docxwilliejgrant41084
 
Practical solutions for connections administrators
Practical solutions for connections administratorsPractical solutions for connections administrators
Practical solutions for connections administratorsSharon James
 

Recommended

Big Data Platform Deployment Architecture
Big Data Platform Deployment ArchitectureBig Data Platform Deployment Architecture
Big Data Platform Deployment ArchitectureDavid Ko
 
Kubernetes and Helm 101
Kubernetes and Helm 101Kubernetes and Helm 101
Kubernetes and Helm 101Kirill Zonov
 
Cloud and Ubiquitous Computing manual
Cloud and Ubiquitous Computing manual Cloud and Ubiquitous Computing manual
Cloud and Ubiquitous Computing manual Sonali Parab
 
Meteor Boulder meetup #1
Meteor Boulder meetup #1Meteor Boulder meetup #1
Meteor Boulder meetup #1Robert Dickert
 
Pivotal Cloud Foundry 2.6: A First Look
Pivotal Cloud Foundry 2.6: A First LookPivotal Cloud Foundry 2.6: A First Look
Pivotal Cloud Foundry 2.6: A First LookVMware Tanzu
 
Pivotal Cloud Foundry 2.5: A First Look
Pivotal Cloud Foundry 2.5: A First LookPivotal Cloud Foundry 2.5: A First Look
Pivotal Cloud Foundry 2.5: A First LookVMware Tanzu
 
Creating a Scheduled Backup and Replicating System Folders Introduct.docx
Creating a Scheduled Backup and Replicating System Folders Introduct.docxCreating a Scheduled Backup and Replicating System Folders Introduct.docx
Creating a Scheduled Backup and Replicating System Folders Introduct.docxwilliejgrant41084
 
Practical solutions for connections administrators
Practical solutions for connections administratorsPractical solutions for connections administrators
Practical solutions for connections administratorsSharon James
 
NTC/326 ENTIRE CLASS UOP TUTORIALS
NTC/326 ENTIRE CLASS UOP TUTORIALSNTC/326 ENTIRE CLASS UOP TUTORIALS
NTC/326 ENTIRE CLASS UOP TUTORIALSSharon Reynolds
 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Mohamad Hassan
 
How to build a Oracle cloud adapter SOA, Integration & API's
How to build a Oracle cloud adapter SOA, Integration & API'sHow to build a Oracle cloud adapter SOA, Integration & API's
How to build a Oracle cloud adapter SOA, Integration & API'sGetting value from IoT, Integration and Data Analytics
 
How to build a cloud adapter
How to build a cloud adapterHow to build a cloud adapter
How to build a cloud adapterMaarten Smeets
 
Manual Sophos
Manual SophosManual Sophos
Manual SophosOlavo Dalcorso
 
What's new in p2 (2009)?
What's new in p2 (2009)?What's new in p2 (2009)?
What's new in p2 (2009)?Pascal Rapicault
 
6048618 cloning-procedure-of-r12-single-tier
6048618 cloning-procedure-of-r12-single-tier6048618 cloning-procedure-of-r12-single-tier
6048618 cloning-procedure-of-r12-single-tierbalaji29
 
Cloud Composer workshop at Airflow Summit 2023.pdf
Cloud Composer workshop at Airflow Summit 2023.pdfCloud Composer workshop at Airflow Summit 2023.pdf
Cloud Composer workshop at Airflow Summit 2023.pdfLeah Cole
 
Pandora FMS: DB2 Enterprise Plugin
Pandora FMS: DB2 Enterprise PluginPandora FMS: DB2 Enterprise Plugin
Pandora FMS: DB2 Enterprise PluginPandora FMS
 
IUG ATL PC 9.5
IUG ATL PC 9.5IUG ATL PC 9.5
IUG ATL PC 9.5Rizwan Mohammed
 
Twelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application ArchitectureTwelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application ArchitectureSigfred Balatan Jr.
 
Create your oracle_apps_r12_lab_with_less_than_us1000
Create your oracle_apps_r12_lab_with_less_than_us1000Create your oracle_apps_r12_lab_with_less_than_us1000
Create your oracle_apps_r12_lab_with_less_than_us1000Ajith Narayanan
 
Readme
ReadmeReadme
Readmerec2006
 
SharePoint 2013 SP1 Deployment for OneDrive use – Step by Step [Small]
SharePoint 2013 SP1 Deployment for OneDrive use – Step by Step [Small]SharePoint 2013 SP1 Deployment for OneDrive use – Step by Step [Small]
SharePoint 2013 SP1 Deployment for OneDrive use – Step by Step [Small]Levi Ustinov
 
Clockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptxClockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptxVikram Kumar Yadav
 
Oracle Solaris 11_Overview and Design Guide.pptx
Oracle Solaris 11_Overview and Design Guide.pptxOracle Solaris 11_Overview and Design Guide.pptx
Oracle Solaris 11_Overview and Design Guide.pptxSaeidVarmazyar
 
MS Cloud Day - Deploying and monitoring windows azure applications
MS Cloud Day - Deploying and monitoring windows azure applicationsMS Cloud Day - Deploying and monitoring windows azure applications
MS Cloud Day - Deploying and monitoring windows azure applicationsSpiffy
 
Oracle bi 10g_install_migration
Oracle bi 10g_install_migrationOracle bi 10g_install_migration
Oracle bi 10g_install_migrationMlx Le
 
IIS Web Ecosystem
IIS Web EcosystemIIS Web Ecosystem
IIS Web EcosystemKenny Abdiel Maita
 
Best ofmms kb_final
Best ofmms kb_finalBest ofmms kb_final
Best ofmms kb_finalDieter Wijckmans
 
RP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfRP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfwardell henley
 
mita_overview.pdf
mita_overview.pdfmita_overview.pdf
mita_overview.pdfwardell henley
 

More Related Content

Similar to Ms app 1.5.1-msinfra-bestpracticesguide

NTC/326 ENTIRE CLASS UOP TUTORIALS
NTC/326 ENTIRE CLASS UOP TUTORIALSNTC/326 ENTIRE CLASS UOP TUTORIALS
NTC/326 ENTIRE CLASS UOP TUTORIALSSharon Reynolds
 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Mohamad Hassan
 
How to build a cloud adapter
How to build a cloud adapterHow to build a cloud adapter
How to build a cloud adapterMaarten Smeets
 
6048618 cloning-procedure-of-r12-single-tier
6048618 cloning-procedure-of-r12-single-tier6048618 cloning-procedure-of-r12-single-tier
6048618 cloning-procedure-of-r12-single-tierbalaji29
 
Cloud Composer workshop at Airflow Summit 2023.pdf
Cloud Composer workshop at Airflow Summit 2023.pdfCloud Composer workshop at Airflow Summit 2023.pdf
Cloud Composer workshop at Airflow Summit 2023.pdfLeah Cole
 
Pandora FMS: DB2 Enterprise Plugin
Pandora FMS: DB2 Enterprise PluginPandora FMS: DB2 Enterprise Plugin
Pandora FMS: DB2 Enterprise PluginPandora FMS
 
Twelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application ArchitectureTwelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application ArchitectureSigfred Balatan Jr.
 
Create your oracle_apps_r12_lab_with_less_than_us1000
Create your oracle_apps_r12_lab_with_less_than_us1000Create your oracle_apps_r12_lab_with_less_than_us1000
Create your oracle_apps_r12_lab_with_less_than_us1000Ajith Narayanan
 
SharePoint 2013 SP1 Deployment for OneDrive use – Step by Step [Small]
SharePoint 2013 SP1 Deployment for OneDrive use – Step by Step [Small]SharePoint 2013 SP1 Deployment for OneDrive use – Step by Step [Small]
SharePoint 2013 SP1 Deployment for OneDrive use – Step by Step [Small]Levi Ustinov
 
Clockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptxClockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptxVikram Kumar Yadav
 
Oracle Solaris 11_Overview and Design Guide.pptx
Oracle Solaris 11_Overview and Design Guide.pptxOracle Solaris 11_Overview and Design Guide.pptx
Oracle Solaris 11_Overview and Design Guide.pptxSaeidVarmazyar
 
MS Cloud Day - Deploying and monitoring windows azure applications
MS Cloud Day - Deploying and monitoring windows azure applicationsMS Cloud Day - Deploying and monitoring windows azure applications
MS Cloud Day - Deploying and monitoring windows azure applicationsSpiffy
 
Oracle bi 10g_install_migration
Oracle bi 10g_install_migrationOracle bi 10g_install_migration
Oracle bi 10g_install_migrationMlx Le
 

Similar to Ms app 1.5.1-msinfra-bestpracticesguide (20)

NTC/326 ENTIRE CLASS UOP TUTORIALS
NTC/326 ENTIRE CLASS UOP TUTORIALSNTC/326 ENTIRE CLASS UOP TUTORIALS
NTC/326 ENTIRE CLASS UOP TUTORIALS
 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017
 
How to build a Oracle cloud adapter SOA, Integration & API's
How to build a Oracle cloud adapter SOA, Integration & API'sHow to build a Oracle cloud adapter SOA, Integration & API's
How to build a Oracle cloud adapter SOA, Integration & API's
 
How to build a cloud adapter
How to build a cloud adapterHow to build a cloud adapter
How to build a cloud adapter
 
Manual Sophos
Manual SophosManual Sophos
Manual Sophos
 
What's new in p2 (2009)?
What's new in p2 (2009)?What's new in p2 (2009)?
What's new in p2 (2009)?
 
6048618 cloning-procedure-of-r12-single-tier
6048618 cloning-procedure-of-r12-single-tier6048618 cloning-procedure-of-r12-single-tier
6048618 cloning-procedure-of-r12-single-tier
 
Cloud Composer workshop at Airflow Summit 2023.pdf
Cloud Composer workshop at Airflow Summit 2023.pdfCloud Composer workshop at Airflow Summit 2023.pdf
Cloud Composer workshop at Airflow Summit 2023.pdf
 
Pandora FMS: DB2 Enterprise Plugin
Pandora FMS: DB2 Enterprise PluginPandora FMS: DB2 Enterprise Plugin
Pandora FMS: DB2 Enterprise Plugin
 
IUG ATL PC 9.5
IUG ATL PC 9.5IUG ATL PC 9.5
IUG ATL PC 9.5
 
Twelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application ArchitectureTwelve-Factor App: Software Application Architecture
Twelve-Factor App: Software Application Architecture
 
Create your oracle_apps_r12_lab_with_less_than_us1000
Create your oracle_apps_r12_lab_with_less_than_us1000Create your oracle_apps_r12_lab_with_less_than_us1000
Create your oracle_apps_r12_lab_with_less_than_us1000
 
Readme
ReadmeReadme
Readme
 
SharePoint 2013 SP1 Deployment for OneDrive use – Step by Step [Small]
SharePoint 2013 SP1 Deployment for OneDrive use – Step by Step [Small]SharePoint 2013 SP1 Deployment for OneDrive use – Step by Step [Small]
SharePoint 2013 SP1 Deployment for OneDrive use – Step by Step [Small]
 
Clockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptxClockify Add-on for Splunk.pptx
Clockify Add-on for Splunk.pptx
 
Oracle Solaris 11_Overview and Design Guide.pptx
Oracle Solaris 11_Overview and Design Guide.pptxOracle Solaris 11_Overview and Design Guide.pptx
Oracle Solaris 11_Overview and Design Guide.pptx
 
MS Cloud Day - Deploying and monitoring windows azure applications
MS Cloud Day - Deploying and monitoring windows azure applicationsMS Cloud Day - Deploying and monitoring windows azure applications
MS Cloud Day - Deploying and monitoring windows azure applications
 
Oracle bi 10g_install_migration
Oracle bi 10g_install_migrationOracle bi 10g_install_migration
Oracle bi 10g_install_migration
 
IIS Web Ecosystem
IIS Web EcosystemIIS Web Ecosystem
IIS Web Ecosystem
 
Best ofmms kb_final
Best ofmms kb_finalBest ofmms kb_final
Best ofmms kb_final
 

More from wardell henley

RP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfRP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfwardell henley
 
Landscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdfLandscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdfwardell henley
 
Facets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdfFacets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdfwardell henley
 
self_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdfself_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdfwardell henley
 
Itil a guide to cab meetings pdf
Itil a guide to cab meetings pdfItil a guide to cab meetings pdf
Itil a guide to cab meetings pdfwardell henley
 
9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmp9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmpwardell henley
 
15466 mba technology_white_paper
15466 mba technology_white_paper15466 mba technology_white_paper
15466 mba technology_white_paperwardell henley
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingwardell henley
 
213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmen213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmenwardell henley
 
Cissp chapter-05ppt178
Cissp chapter-05ppt178Cissp chapter-05ppt178
Cissp chapter-05ppt178wardell henley
 
Enterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20securityEnterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20securitywardell henley
 
3 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp013 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp01wardell henley
 
Splunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandardsSplunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandardswardell henley
 
IBM enterprise Content Management
IBM enterprise Content ManagementIBM enterprise Content Management
IBM enterprise Content Managementwardell henley
 
5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaperwardell henley
 

More from wardell henley (20)

RP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfRP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdf
 
mita_overview.pdf
mita_overview.pdfmita_overview.pdf
mita_overview.pdf
 
Landscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdfLandscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdf
 
Facets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdfFacets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdf
 
self_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdfself_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdf
 
Itil a guide to cab meetings pdf
Itil a guide to cab meetings pdfItil a guide to cab meetings pdf
Itil a guide to cab meetings pdf
 
Mn bfdsprivacy
Mn bfdsprivacyMn bfdsprivacy
Mn bfdsprivacy
 
9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmp9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmp
 
It security cert_508
It security cert_508It security cert_508
It security cert_508
 
15466 mba technology_white_paper
15466 mba technology_white_paper15466 mba technology_white_paper
15466 mba technology_white_paper
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_training
 
213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmen213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmen
 
Soa security2
Soa security2Soa security2
Soa security2
 
Cissp chapter-05ppt178
Cissp chapter-05ppt178Cissp chapter-05ppt178
Cissp chapter-05ppt178
 
Enterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20securityEnterprise%20 security%20architecture%20 %20business%20driven%20security
Enterprise%20 security%20architecture%20 %20business%20driven%20security
 
3 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp013 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp01
 
Splunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandardsSplunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandards
 
IBM enterprise Content Management
IBM enterprise Content ManagementIBM enterprise Content Management
IBM enterprise Content Management
 
oracle EBS
oracle EBSoracle EBS
oracle EBS
 
5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper
 

Recently uploaded

New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Recently uploaded (20)

New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

Ms app 1.5.1-msinfra-bestpracticesguide

  • 1. Splunk® App for Windows Infrastructure Deploy and Use the Splunk App for Windows Infrastructure 1.5.1 Best practices guide Generated: 1/01/2019 2:25 pm Copyright (c) 2019 Splunk Inc. All Rights Reserved
  • 2. Best practices guide Splunk has put together this Best Practices in the course of developing and using the Splunk App for Windows Infrastructure. You can expect continued updates to this guide as we update the app with feedback from our customers and partners. General Synchronize clocks on all hosts To ensure that the Splunk App for Windows Infrastructure sees all data coming in from the hosts in your Exchange environment, confirm that those hosts have their clocks synchronized. On Windows hosts, use the Windows Time service to synchronize with an available Network Time Protocol (NTP) host. • On *nix hosts (if you use *nix hosts to host the Splunk App for Windows Infrastructure), use the ntpd client to synchronize with an available NTP host. • Note: The Windows Time service is not a full-fledged NTP client and Microsoft neither guarantees nor supports the accuracy of the service. Active Directory Below are some best practices for tuning Active Directory monitoring operations for the Splunk App for Windows Infrastructure. You must make these changes inside the universal forwarders that you have installed on the AD domain controllers in your environment. • You must define the changes within the Splunk_TA_microsoft_ad add-on that you install into the universal forwarder. • If you use a Splunk Enterprise deployment server, create server classes that deploy the add-ons with these updated configurations. Otherwise, make these changes after you have deployed the add-ons into the universal forwarders on the domain controllers. • Once you update configurations, you must restart the universal forwarders on each domain controller for the new changes to take effect. • 1
  • 3. Consider not including a baseline for Active Directory data collection You don't need to collect a baseline - or dump - of your Active Directory schema to use with the Splunk App for Windows Infrastructure. In fact, doing so can significantly increase the memory usage footprint on your domain controllers and your Splunk indexing volume. Unless you specifically need a baseline of your AD schema, consider turning it off. Open %SPLUNK_HOME%etcappsSplunk_TA_microsoft_ad<version>localinputs.conf for editing. 1. Modify the main admon stanza: [admon://NearestDC] disabled = 0 baseline = 0 2. Consider disabling the Active Directory monitoring input on all but a select group of domain controllers When you collect Active Directory data for the Splunk App for Windows Infrastructure, it is not necessary to enable the Active Directory monitoring input (admon) on every domain controller in your Exchange environment. If you have a number of domain controllers, consider selecting one (or two to three for redundancy) and enabling the admon inputs only on those hosts. You should still install the Splunk_TA_microsoft_ad add-on into each domain controller. You should also install the Splunk Add-on for Windows (Splunk_TA_Windows) onto the host to get all other Windows data for the host into the Splunk App for Windows Infrastructure. To configure active directory monitoring on a specific domain controller, open %SPLUNK_HOME%etcappsSplunk_TA_microsoft_adlocalinputs.conf for editing. 1. In the file, disable the main admon stanza. [admon://NearestDC] disabled = 1 2. Create a new Active Directory monitoring stanza and set the targetDc attribute to the NetBIOS name of the controller on which you want to run admon. For example, if the host on which you want to run admon is named SF-DC2, configure a new admon stanza like the following: 3. 2
  • 4. [admon://ADMonitoring] targetDc = SF-DC2 monitorSubtree = 1 baseline = 0 index = msad disabled = 0 Consider specifying a domain controller for Security Event Log Security ID (SID) translations The Splunk Enterprise event log monitor translates security identifiers (SIDs) by default for the Security Event Log. Translation turns SIDs (the very long string that begins with S-1-5-21 and ends with a long jumble of numbers) into friendly account names. The Splunk App for Windows Infrastructure does not need SID translation in the Security Event Log. This is because Active Directory events already contain this information. To reduce the amount of memory that domain controllers use to perform SID translation, configure the Splunk Add-on for Windows (Splunk_TA_Windows) to disable SID translation. To disable SID translation, open %SPLUNK_HOME%etcappsSplunk_TA_Windowslocalinputs.conf for editing. 1. In this file, modify the Security Event Log stanza. [WinEventLog://Security] evt_resolve_ad_obj = 0 2. If you require SID translation, you can limit both its scope and where it occurs by setting the current_only and evt_dc_name attributes: [WinEventLog://Security] evt_dc_name = SF-DC2 # only use SF-DC2 to translate SIDs current_only = 1 # only translate SIDs for events that come in for new events Consider limiting AD object access events to reduce impact on license usage When you enable auditing on your AD domain controllers, the DCs create Security Event Code 4662 events each time a user accesses any kind of AD object. (On Windows Server 2003 and Server 2003 R2, the event code is 566). This can greatly impact license volume and potentially cause violations. 3
  • 5. To address the problem, limit the indexing of these event codes by blacklisting some of the events which contain them (the app uses the events for Group Policy monitoring but no other purpose.) This procedure requires that you use Splunk universal forwarder version 6.1 or later. If you cannot use this version of the universal forwarder, then this strategy does not apply to you. 4