Note: Select a computer to run Supercharger and Splunk
Installing and Configuring Supercharger
Installing Supercharger
Create Custom Log for Domain Controller Forwarded Events
Create a Subscription to Forward Domain Controller logs
Preparing Active Directory
Group Policy
Add Collector as a Targeted Subscription Manager
Configure Permissions for Security Log Access on Domain Controllers
Audit Policy
Active Directory Users and Computers
Configure Object Level Audit Policy
Install Splunk Free
Install Splunk App for LOGbinder
Installing and Configuring Supercharger
Installing Supercharger
- Download Supercharger from LOGbinder.com.
- Run the installation file.
- Perform a default installation.
- For further information go to this Installing Supercharger KB article.
- The installer will install IIS if it is not installed and will reboot the server. The installation will resume upon login.
- Supercharger will automatically open the web browser upon completion of the installation.
***Please note that if your DC's are Win2008r2 then you will need to run "winrm qc" on each DC in an elevated cmd prompt.***
Create Custom Log for Domain Controller Forwarded Events
- Expand the collector and click on the “Add Event Log” button.

- Configure the new event log:
- The log must be named ADChanges
- The log path can be customized
- The maximum log size can be customized but must be at least 511,967,232 bytes.
- Click “Save”.

Create a Subscription to Forward Domain Controller logs
- Expand the collector and click on the “Add Subscription” button.

- On the “New Subscription” screen and enter a name and description. Select the previously created log, “Supercharger-Destination-ADChanges/Log”, and click on “Next”.

- Select “Builtin Deterministic 100% for High Value Servers” from the “Policy” dropdown.
- Click on the green “Add” button and then search for “domain controllers”. Select “Domain Controllers” in the “Results” window and then click “Add Forwarder”. Then click “Next”.

- Select “Builtin – Security: Active Directory Changes” from the dropdown then click “Next”.
- Click on the green “Add Subscription” button.
Preparing Active Directory
Group Policy
Add Collector as a Targeted Subscription Manager
- Connect to the Domain Controller.
- Right click on “Start” then run and run “gpmc.msc”.
- Expand the "Domain Controllers” OU and right click on "Default Domain Controllers Policy" and select “Edit"

- In Group Policy Management Editor, navigate to the following location: Default Domain Policy\Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding

- Double click on “Configure target Subscription Manager” on the right.

- Select “Enabled” and then click the “Show” button.

- Add the collector to the “SubscriptionManagers” list. This string can be found in Supercharger by clicking on "Quick Start" then expanding the "Configure potential source computers with Group Policy" section. Under #2 you will the collector strings syntax. Copy and paste this string. Do not copy the bullet point. Use the following syntax:
Server=http://<FQDN of the collector>:5985/wsman/SubscriptionManager/WEC,Refresh=900 where FQDN equals the “servername.domain.abc”.
Configure Permissions for Security Log Access on Domain Controllers
- Connect to the Domain Controller.
- Right click on “Start” then run and run “gpmc.msc”.
- Expand the "Domain Controllers” OU and right click on "Default Domain Controllers Policy" and select “Edit"

- Perform one of the two steps from this KB article: Granting Permissions for Security Log Forwarding
Audit Policy
- Connect to the Domain Controller.
- Right click on “Start” then run and run “gpmc.msc”.
- Expand the "Domain Controllers” OU and right click on "Default Domain Controllers Policy" and select “Edit"

- Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options and in the list of options in the right window click on "Audit: Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.”
