Menu

Search

LOGbinder Support


8. Install Supercharger with Splunk Free and the Splunk App for LOGbinder


bjvista
How To

Note: Select a computer to run Supercharger and Splunk 

Installing and Configuring Supercharger

    Installing Supercharger

    Create Custom Log for Domain Controller Forwarded Events

    Create a Subscription to Forward Domain Controller logs

Preparing Active Directory

    Group Policy

         Add Collector as a Targeted Subscription Manager

         Configure Permissions for Security Log Access on Domain Controllers

         Audit Policy

    Active Directory Users and Computers

         Configure Object Level Audit Policy

Install Splunk Free

Install Splunk App for LOGbinder

Installing and Configuring Supercharger

Installing Supercharger

  1. Download Supercharger from LOGbinder.com.
  2. Run the installation file.
  3. Perform a default installation.
    1. For further information go to this Installing Supercharger KB article.
    2. The installer will install IIS if it is not installed and will reboot the server. The installation will resume upon login.
  4. Supercharger will automatically open the web browser upon completion of the installation.
    ***Please note that if your DC's are Win2008r2 then you will need to run "winrm qc" on each DC in an elevated cmd prompt.***

Create Custom Log for Domain Controller Forwarded Events

  1. Expand the collector and click on the “Add Event Log” button.

     

  2. Configure the new event log:
    1. The log must be named ADChanges
    2. The log path can be customized
    3. The maximum log size can be customized but must be at least 511,967,232 bytes.
  3. Click “Save”.

 

Create a Subscription to Forward Domain Controller logs

  1. Expand the collector and click on the “Add Subscription” button.

     

  2. On the “New Subscription” screen and enter a name and description. Select the previously created log, “Supercharger-Destination-ADChanges/Log”, and click on “Next”.

     

  3. Select “Builtin Deterministic 100% for High Value Servers” from the “Policy” dropdown.

      

  4. Click on the green “Add” button and then search for “domain controllers”. Select “Domain Controllers” in the “Results” window and then click “Add Forwarder”. Then click “Next”.

     

  5. Select “Builtin – Security: Active Directory Changes” from the dropdown then click “Next”.

      

  6. Click on the green “Add Subscription” button.

Preparing Active Directory

Group Policy

    Add Collector as a Targeted Subscription Manager

  1. Connect to the Domain Controller.
  2. Right click on “Start” then run and run “gpmc.msc”.

  3. Expand the "Domain Controllers” OU and right click on "Default Domain Controllers Policy" and select “Edit"

  4. In Group Policy Management Editor, navigate to the following location: Default Domain Policy\Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding

  5. Double click on “Configure target Subscription Manager” on the right.

     

  6. Select “Enabled” and then click the “Show” button.

     

  7. Add the collector to the “SubscriptionManagers” list. This string can be found in Supercharger by clicking on "Quick Start" then expanding the "Configure potential source computers with Group Policy" section. Under #2 you will the collector strings syntax.  Copy and paste this string.  Do not copy the bullet point.  Use the following syntax:
    Server=http://<FQDN of the collector>:5985/wsman/SubscriptionManager/WEC,Refresh=900 where FQDN equals the  “servername.domain.abc”.

  

Configure Permissions for Security Log Access on Domain Controllers 

  1. Connect to the Domain Controller.
  2. Right click on “Start” then run and run “gpmc.msc”.

  3. Expand the "Domain Controllers” OU and right click on "Default Domain Controllers Policy" and select “Edit"

  4. Perform one of the two steps from this KB article: Granting Permissions for Security Log Forwarding

Audit Policy

  1. Connect to the Domain Controller.
  2. Right click on “Start” then run and run “gpmc.msc”.

  3. Expand the "Domain Controllers” OU and right click on "Default Domain Controllers Policy" and select “Edit"

  4. Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options and in the list of options in the right window click on "Audit: Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.”