https://community.splunk.com/t5/Security/HELP-No-events-from-remote-FileServer-SECURITY-log/m-p/242477#M14888 <P>I can't seem to get this figured out. I've tried adding the stanzas to the output.conf file on my fileserver where the SplunkUniversalForwarder is installed, but nothing from the security log ever shows up. Here's the end of my splunkd log.</P> <P>Windows Server 2012 R2 for both the Indexer and FileServer I'm attempting to pull logs from.</P> <BLOCKQUOTE> <P>03-15-2016 12:54:54.552 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-&gt;admon.exe"" splunk-admon - ADMonitorThread::launchADMonitor: Failed to initialize ADMonitor='admon://NearestDC', targedDC='(null)'</P> </BLOCKQUOTE> <P>ad nauseum. </P> <P>Here is my inputs.conf (copied to /etc/var/system/local) --</P> <H1>Version 6.3.3</H1> <H1>DO NOT EDIT THIS FILE!</H1> <H1>Changes to default files will be lost on update and are difficult to</H1> <H1>manage and support.</H1> <H1>Please make any changes to system defaults by overriding them in</H1> <H1>apps or $SPLUNK_HOME/etc/system/local</H1> <H1>(See "Configuration file precedence" in the web documentation).</H1> <H1>To override a specific setting, copy the name of the stanza and</H1> <H1>setting to the file where you wish to override it.</H1> <H1>This file contains possible attributes and values you can use to</H1> <H1>configure inputs, distributed inputs and file system monitoring.</H1> <P>[default]<BR /> index = default<BR /> _rcvbuf = 1572864<BR /> host = $decideOnStartup<BR /> evt_resolve_ad_obj = 0<BR /> evt_dc_name=<BR /> evt_dns_name=</P> <P>[blacklist:$SPLUNK_HOME\etc\auth]</P> <P>[monitor://$SPLUNK_HOME\var\log\splunk]<BR /> index = _internal</P> <P>[monitor://$SPLUNK_HOME\etc\splunk.version]<BR /> _TCP_ROUTING = *<BR /> index = _internal<BR /> sourcetype=splunk_version</P> <P>[batch://$SPLUNK_HOME\var\spool\splunk]<BR /> move_policy = sinkhole<BR /> crcSalt = </P> <P>[batch://$SPLUNK_HOME\var\spool\splunk...stash_new]<BR /> queue = stashparsing<BR /> sourcetype = stash_new<BR /> move_policy = sinkhole<BR /> crcSalt = </P> <P>[fschange:$SPLUNK_HOME\etc]</P> <H1>poll every 10 minutes</H1> <P>pollPeriod = 600</P> <H1>generate audit events into the audit index, instead of fschange events</H1> <P>signedaudit=true<BR /> recurse=true<BR /> followLinks=false<BR /> hashMaxSize=-1<BR /> fullEvent=false<BR /> sendEventMaxSize=-1<BR /> filesPerDelay = 10<BR /> delayInMills = 100</P> <P>[udp]<BR /> connection_host=ip</P> <P>[tcp]<BR /> acceptFrom=*<BR /> connection_host=dns</P> <P>[splunktcp]<BR /> route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue<BR /> acceptFrom=*<BR /> connection_host=ip</P> <P>[script]<BR /> interval = 60.0<BR /> start_by_shell = false</P> <P>[SSL]</P> <H1>default cipher suites that splunk allows. Change this if you wish to increase the security</H1> <H1>of SSL connections, or to lower it if you having trouble connecting to splunk.</H1> <P>cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM<BR /> allowSslRenegotiation = true<BR /> sslQuietShutdown = false</P> <H1>Allow only sslv3 and above connections</H1> <P>sslVersions = *,-ssl2</P> <P>[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]<BR /> disabled = 0<BR /> interval = 10000000<BR /> source = wmi<BR /> sourcetype = wmi<BR /> queue = winparsing<BR /> persistentQueueSize=200MB</P> <H1>default single instance modular input restarts</H1> <H1>Windows platform specific input processor.</H1> <P>[WinEventLog://Application]<BR /> disabled = 0 <BR /> [WinEventLog://Security]<BR /> disabled = 0<BR /> start_from = oldest<BR /> current_only = 0<BR /> evt_resolve_ad_obj = 1<BR /> checkpointInterval = 5</P> <H1>only index events with these event IDs.</H1> <P>whitelist = 0-2000,3001-10000</P> <H1>exclude these event IDs from being indexed.</H1> <P>blacklist = 2001-3000[WinEventLog://System]<BR /> disabled = 0"</P> Tue, 29 Sep 2020 09:03:28 GMT akmartin 2020-09-29T09:03:28Z https://community.splunk.com/t5/Security/HELP-No-events-from-remote-FileServer-SECURITY-log/m-p/242477#M14888 <P>I can't seem to get this figured out. I've tried adding the stanzas to the output.conf file on my fileserver where the SplunkUniversalForwarder is installed, but nothing from the security log ever shows up. Here's the end of my splunkd log.</P> <P>Windows Server 2012 R2 for both the Indexer and FileServer I'm attempting to pull logs from.</P> <BLOCKQUOTE> <P>03-15-2016 12:54:54.552 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-&gt;admon.exe"" splunk-admon - ADMonitorThread::launchADMonitor: Failed to initialize ADMonitor='admon://NearestDC', targedDC='(null)'</P> </BLOCKQUOTE> <P>ad nauseum. </P> <P>Here is my inputs.conf (copied to /etc/var/system/local) --</P> <H1>Version 6.3.3</H1> <H1>DO NOT EDIT THIS FILE!</H1> <H1>Changes to default files will be lost on update and are difficult to</H1> <H1>manage and support.</H1> <H1>Please make any changes to system defaults by overriding them in</H1> <H1>apps or $SPLUNK_HOME/etc/system/local</H1> <H1>(See "Configuration file precedence" in the web documentation).</H1> <H1>To override a specific setting, copy the name of the stanza and</H1> <H1>setting to the file where you wish to override it.</H1> <H1>This file contains possible attributes and values you can use to</H1> <H1>configure inputs, distributed inputs and file system monitoring.</H1> <P>[default]<BR /> index = default<BR /> _rcvbuf = 1572864<BR /> host = $decideOnStartup<BR /> evt_resolve_ad_obj = 0<BR /> evt_dc_name=<BR /> evt_dns_name=</P> <P>[blacklist:$SPLUNK_HOME\etc\auth]</P> <P>[monitor://$SPLUNK_HOME\var\log\splunk]<BR /> index = _internal</P> <P>[monitor://$SPLUNK_HOME\etc\splunk.version]<BR /> _TCP_ROUTING = *<BR /> index = _internal<BR /> sourcetype=splunk_version</P> <P>[batch://$SPLUNK_HOME\var\spool\splunk]<BR /> move_policy = sinkhole<BR /> crcSalt = </P> <P>[batch://$SPLUNK_HOME\var\spool\splunk...stash_new]<BR /> queue = stashparsing<BR /> sourcetype = stash_new<BR /> move_policy = sinkhole<BR /> crcSalt = </P> <P>[fschange:$SPLUNK_HOME\etc]</P> <H1>poll every 10 minutes</H1> <P>pollPeriod = 600</P> <H1>generate audit events into the audit index, instead of fschange events</H1> <P>signedaudit=true<BR /> recurse=true<BR /> followLinks=false<BR /> hashMaxSize=-1<BR /> fullEvent=false<BR /> sendEventMaxSize=-1<BR /> filesPerDelay = 10<BR /> delayInMills = 100</P> <P>[udp]<BR /> connection_host=ip</P> <P>[tcp]<BR /> acceptFrom=*<BR /> connection_host=dns</P> <P>[splunktcp]<BR /> route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue<BR /> acceptFrom=*<BR /> connection_host=ip</P> <P>[script]<BR /> interval = 60.0<BR /> start_by_shell = false</P> <P>[SSL]</P> <H1>default cipher suites that splunk allows. Change this if you wish to increase the security</H1> <H1>of SSL connections, or to lower it if you having trouble connecting to splunk.</H1> <P>cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM<BR /> allowSslRenegotiation = true<BR /> sslQuietShutdown = false</P> <H1>Allow only sslv3 and above connections</H1> <P>sslVersions = *,-ssl2</P> <P>[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]<BR /> disabled = 0<BR /> interval = 10000000<BR /> source = wmi<BR /> sourcetype = wmi<BR /> queue = winparsing<BR /> persistentQueueSize=200MB</P> <H1>default single instance modular input restarts</H1> <H1>Windows platform specific input processor.</H1> <P>[WinEventLog://Application]<BR /> disabled = 0 <BR /> [WinEventLog://Security]<BR /> disabled = 0<BR /> start_from = oldest<BR /> current_only = 0<BR /> evt_resolve_ad_obj = 1<BR /> checkpointInterval = 5</P> <H1>only index events with these event IDs.</H1> <P>whitelist = 0-2000,3001-10000</P> <H1>exclude these event IDs from being indexed.</H1> <P>blacklist = 2001-3000[WinEventLog://System]<BR /> disabled = 0"</P> Tue, 29 Sep 2020 09:03:28 GMT https://community.splunk.com/t5/Security/HELP-No-events-from-remote-FileServer-SECURITY-log/m-p/242477#M14888 akmartin 2020-09-29T09:03:28Z https://community.splunk.com/t5/Security/HELP-No-events-from-remote-FileServer-SECURITY-log/m-p/242478#M14889 <P>I have a similar problem, it seems the problem is with the TA-DomainController-NT6 app or the Splunk_TA_windows app you may have installed. The specific line with causing this problem is:</P> <P>[admon://NearestDC]<BR /> monitorSubtree = 1<BR /> interval=3600<BR /> disabled=true<BR /> index=msad</P> <P>If you do not need to use it, you can disable it and the errors will stop.</P> Tue, 29 Sep 2020 09:12:58 GMT https://community.splunk.com/t5/Security/HELP-No-events-from-remote-FileServer-SECURITY-log/m-p/242478#M14889 djfangGR 2020-09-29T09:12:58Z https://community.splunk.com/t5/Security/HELP-No-events-from-remote-FileServer-SECURITY-log/m-p/242479#M14890 <P>I started all over and just removed everything. Cleared all the logs and reconnected the UF. Once I did that everything started showing up properly, no more errors. I did so much tinkering I think I just messed things up.</P> Mon, 28 Mar 2016 18:00:47 GMT https://community.splunk.com/t5/Security/HELP-No-events-from-remote-FileServer-SECURITY-log/m-p/242479#M14890 akmartin 2016-03-28T18:00:47Z https://community.splunk.com/t5/Security/HELP-No-events-from-remote-FileServer-SECURITY-log/m-p/242480#M14891 <P>Thanks for this</P> Wed, 11 Apr 2018 17:30:28 GMT https://community.splunk.com/t5/Security/HELP-No-events-from-remote-FileServer-SECURITY-log/m-p/242480#M14891 oobijiaku 2018-04-11T17:30:28Z