How to Deploy Splunk AD Monitoring in 437 Easy Steps


I just had the privilege of getting Active Directory data into Splunk. It was pretty straightforward. Here are the steps.

  1. Consult two priests (preferably an old and a young one)

  2. Install 47 plugins on the Splunk indexer. Those won’t do anything. Just install them.

  3. Install 19 more plugins on your Domain Controller. Those also won’t do anything.

  4. Install the Universal Forwarder on the Domain Controller. Confusingly, it’s 1) not universal, and 2) it doesn’t forward anything.

  5. Edit some files in Notepad on the Domain Controller. Add random text snippets you found from searching 113 articles online from people near suicide at this stage in the process. Paste some of that stuff into the files. Restart the Forwarder Daemon 7 times. Or more.

  6. Find 5 pre-pubescent Peruvian chickens. Kill them and place their bodies in the shape of a pentagram.

  7. Spend 2.6 more hours in the Splunk forums learning how much people hate the Add-on process.

  8. Expand your cursing vocabulary by 68%.

  9. Table flip.

  10. Install Snare and forward to Syslog.

Turns out it was the chickens for me (Step 6). There are more than five different species of Peruvian chicken, and I used the wrong kind.

Plus the priests were Orthodox. Never use Orthodox priests to install AD for Splunk.

TL:DR: Splunk needs to have a single installer for sending, and a single installer for receiving. Right now I am facing in the direction of their headquarters in SF and making gestures like the French guy in Holy Grail.


  1. Splunk is actually phenomenal when you have data in it. It’s just way to hard to get data into it for Windows infrastructure, which is not extraordinarily uncommon.

  2. Lots of actual chickens were harmed during this installation.

Related posts: