topic Re: Why am I getting an error trying to configure the Splunk App for Windows Infrastructure without a search head? in All Apps and Add-ons

Why am I getting an error trying to configure the Splunk App for Windows Infrastructure without a search head?

tsekali — Fri, 06 Feb 2015 09:21:09 GMT

Hi everyone.

I am trying to configure the Splunk App for Windows Infrastructure. My topology includes 2 Windows Domain Controllers, one Windows Exchange Server, one win File Server, and 2 cisco devices. Windows machines are running a universal forwarder each, an indexer runs splunk enterprise 6.2.1 on ubuntu 14 and there is no Search Head. The indexer is responsible for both indexing and searching.

About the app, the following is set up:
Splunk v6.2.1
Splunk Add-on for Microsoft Windows v4.7.3
Splunk Supporting Add-on for Microsoft Windows Active Directory v2.0.1

The user with winfra-admin user role and everything is marked with a green "tick". Besides that, continuing the wizard I get the following error:

Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours

I read that Splunk Supporting Add-on for Microsoft Windows Active Directory should be installed on the search head (which is not present in my topology because I found there is no need to have one). Does anyone know what might be the problem?

Thank you!

Re: Why am I getting an error trying to configure the Splunk App for Windows Infrastructure without a search head?

jofe — Fri, 06 Feb 2015 12:58:23 GMT

Hello,

Have you added the AD relevant TA:s to the domain controllers? MSAD data is generally grabbed through powershell scripts running on the domain controller. (You need powershell execution rights as well for this to work)

Re: Why am I getting an error trying to configure the Splunk App for Windows Infrastructure without a search head?

tsekali — Tue, 10 Feb 2015 08:42:43 GMT

Thanks for your answer!
Do you mean the Splunk Supporting Add-on for Microsoft Windows Active Directory v2.0.1 ? I have this one installed on the indexer and it is marked as OK.

Re: Why am I getting an error trying to configure the Splunk App for Windows Infrastructure without a search head?

tsekali — Tue, 10 Feb 2015 09:00:30 GMT

Also, in the documentation I see that The Splunk Supporting Add-on for Active Directory can be installed on a search head.
It does not perform any function when installed on a forwarder or indexer . Am I doing something wrong?
My topology does not have a search head. Am I able to setup this app ??

Re: Why am I getting an error trying to configure the Splunk App for Windows Infrastructure without a search head?

malmoore — Wed, 11 Feb 2015 00:24:29 GMT

If you do not have a search head in your topology, then your indexer is the search head by default. So there is no issue there.

The data check for Active Directory is failing. This is because either:

The msad index does not exist on your indexer
The domain controllers are not sending data to the msad index - they only do this if you installed the correct Active Directory add-on in the universal forwarder on each DC.
The user has not been set up to search the msad index by default.

More info at the Splunk App for Windows Infrastructure Troubleshooting Page.

Re: Why am I getting an error trying to configure the Splunk App for Windows Infrastructure without a search head?

jofe — Wed, 11 Feb 2015 10:22:51 GMT

Like malmoore says,

You need more than the configuration on the search head / indexer for this to work. Please review his answer and verify that you have an MSAD index, and that you have installed the correct addon on the DOMAIN CONTROLLERS.

Re: Why am I getting an error trying to configure the Splunk App for Windows Infrastructure without a search head?

tsekali — Fri, 13 Feb 2015 09:36:04 GMT

People....I am confused like big time here....!!

Is there any other add-on than Splunk Supporting Add-on for Active Directory ??

Re: Why am I getting an error trying to configure the Splunk App for Windows Infrastructure without a search head?

malmoore — Fri, 13 Feb 2015 23:41:29 GMT

No. There are no other add-ons than the ones you listed. As well, the Splunk Supporting Add-on for Active Directory is not applicable to the problems you experience.

Please read my response from 2 days ago as a starting point.