https://community.splunk.com/t5/Getting-Data-In/Active-Directory-APP-no-Failed-Logon-Data/m-p/176725#M35456 <P>Hi, i need some help with the Active Directory APP installation because i cannot get any Failed Logon Data within the APP.</P> <P>i am using the Trial Version of Splunk<BR /> - we have 1 Unix Indexer<BR /> - we have 1 Windows 2008 R2 Domaincontroller (Universal Client).</P> <P>I installed on the Indexer: <BR /> Active Directory APP<BR /> (deployeed to the Domaincontroller TA-DomainController-NT6) <BR /> (deployeed to the Domaincontroller TA-DNSServer-NT6)<BR /> SA-ldapsearch and configured it, it works fine<BR /> Splunk Ad-on for Windows<BR /> (deployeed it to the Domaincontroller)<BR /> Sideview </P> <P>On the Domaincontroller i installed:<BR /> Universal Forwarder<BR /> deployeed the TA-Domaincontroller-NT6 and DNSServer-NT6 and the Add-on for Windows</P> <P>Now my question, the documentation says that when installing the Universal Forwarder on the domaincontroler "Do not enable any of the inputs during the installation". So i left on the last installation page all unchecked (no eventlogs, no AD monitoring, all unchecked). Is this right ? Bedause when i do that i cannot get any Faled Logon Data within the Active Directory APP. The ldap stuff is working fine, so i can see the green light and domain names and servernames within the Active Directory APP. What i am doing wrong ? Is it right that i do not need any Eventlogs separately configured at the Universal Forwarder to have those Failed logon Data ? </P> <P>Thanks and best regards</P> <P>Dave</P> Thu, 12 Dec 2013 17:28:51 GMT davidbaier 2013-12-12T17:28:51Z https://community.splunk.com/t5/Getting-Data-In/Active-Directory-APP-no-Failed-Logon-Data/m-p/176725#M35456 <P>Hi, i need some help with the Active Directory APP installation because i cannot get any Failed Logon Data within the APP.</P> <P>i am using the Trial Version of Splunk<BR /> - we have 1 Unix Indexer<BR /> - we have 1 Windows 2008 R2 Domaincontroller (Universal Client).</P> <P>I installed on the Indexer: <BR /> Active Directory APP<BR /> (deployeed to the Domaincontroller TA-DomainController-NT6) <BR /> (deployeed to the Domaincontroller TA-DNSServer-NT6)<BR /> SA-ldapsearch and configured it, it works fine<BR /> Splunk Ad-on for Windows<BR /> (deployeed it to the Domaincontroller)<BR /> Sideview </P> <P>On the Domaincontroller i installed:<BR /> Universal Forwarder<BR /> deployeed the TA-Domaincontroller-NT6 and DNSServer-NT6 and the Add-on for Windows</P> <P>Now my question, the documentation says that when installing the Universal Forwarder on the domaincontroler "Do not enable any of the inputs during the installation". So i left on the last installation page all unchecked (no eventlogs, no AD monitoring, all unchecked). Is this right ? Bedause when i do that i cannot get any Faled Logon Data within the Active Directory APP. The ldap stuff is working fine, so i can see the green light and domain names and servernames within the Active Directory APP. What i am doing wrong ? Is it right that i do not need any Eventlogs separately configured at the Universal Forwarder to have those Failed logon Data ? </P> <P>Thanks and best regards</P> <P>Dave</P> Thu, 12 Dec 2013 17:28:51 GMT https://community.splunk.com/t5/Getting-Data-In/Active-Directory-APP-no-Failed-Logon-Data/m-p/176725#M35456 davidbaier 2013-12-12T17:28:51Z https://community.splunk.com/t5/Getting-Data-In/Active-Directory-APP-no-Failed-Logon-Data/m-p/176726#M35457 <P>So, i will answer myself after some more investigation.</P> <P>It seems on the Univeral Forwarder the Security logs needs to be enabled, so a inputs.conf needs to be copied to the following path: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk<EM>TA</EM>windows\local</P> <P>with the following setting: [WinEventLog://Security] disabled = 0</P> <P>That should do the trick, at least it is working for me now.</P> <P>Dave</P> Wed, 18 Dec 2013 14:00:24 GMT https://community.splunk.com/t5/Getting-Data-In/Active-Directory-APP-no-Failed-Logon-Data/m-p/176726#M35457 davidbaier 2013-12-18T14:00:24Z