Splunk app for Window infrastructure

mysplunkbase — Wed, 09 Sep 2020 20:16:28 GMT

I have installed Windows infrastructure app on Splunk search head (which is a server)

The app requires multiple indexes(msad, perfmon, wineventlog) and all indexes are

receiving data except for msad

This is my inputs.conf file

# Copyright (C) 2019 Splunk Inc. All Rights Reserved. # DO NOT EDIT THIS FILE! # Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local. # To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default # into ../local and edit there. # ###### OS Logs ###### [WinEventLog://Application] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=true index= wineventlog [WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" renderXml=true index= wineventlog [WinEventLog://System] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 renderXml=true index= wineventlog ###### Forwarded WinEventLogs (WEF) ###### [WinEventLog://ForwardedEvents] disabled = 0 start_from = oldest current_only = 0 checkpointInterval = 5 ## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false. renderXml=true host=WinEventLogForwardHost index= wineventlog ###### WinEventLog Inputs for Active Directory ###### ## Application and Services Logs - DFS Replication [WinEventLog://DFS Replication] disabled = 0 renderXml=true index= wineventlog ## Application and Services Logs - Directory Service [WinEventLog://Directory Service] disabled = 0 renderXml=true index= wineventlog ## Application and Services Logs - File Replication Service [WinEventLog://File Replication Service] disabled = 0 renderXml=true index= wineventlog ## Application and Services Logs - Key Management Service [WinEventLog://Key Management Service] disabled = 0 renderXml=true index= wineventlog ###### WinEventLog Inputs for DNS ###### [WinEventLog://DNS Server] disabled=1 renderXml=true index= wineventlog ###### DHCP ###### [monitor://$WINDIR\System32\DHCP] disabled = 0 whitelist = DhcpSrvLog* crcSalt = <SOURCE> sourcetype = DhcpSrvLog index = windows ###### Windows Update Log ###### ## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2 [monitor://$WINDIR\WindowsUpdate.log] disabled = 0 sourcetype = WindowsUpdateLog index = windows ## Enable below powershell and monitor stanzas to get WindowsUpdate.log for Windows 10 and Server 2016 ## Below stanza will automatically generate WindowsUpdate.log daily [powershell://generate_windows_update_logs] script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\generate_windows_update_logs.ps1" schedule = 0 */24 * * * disabled = 0 index = windows ## Below stanza will monitor the generated WindowsUpdate.log in Windows 10 and Server 2016 [monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows\WindowsUpdate.log] disabled = 0 sourcetype = WindowsUpdateLog index = windows ###### Monitor Inputs for Active Directory ###### [monitor://$WINDIR\debug\netlogon.log] sourcetype=MSAD:NT6:Netlogon disabled=0 index = msad ###### Monitor Inputs for DNS ###### [MonitorNoHandle://$WINDIR\System32\Dns\dns.log] sourcetype=MSAD:NT6:DNS disabled=0 index = msad ###### Scripted Input (See also wmi.conf) [script://.\bin\win_listening_ports.bat] disabled = 0 ## Run once per hour interval = 3600 sourcetype = Script:ListeningPorts [script://.\bin\win_installed_apps.bat] disabled = 0 ## Run once per day interval = 86400 sourcetype = Script:InstalledApps index = windows [script://.\bin\win_timesync_status.bat] disabled = 0 ## Run once per hour interval = 3600 sourcetype = Script:TimesyncStatus index = windows [script://.\bin\win_timesync_configuration.bat] disabled = 0 ## Run once per hour interval = 3600 sourcetype = Script:TimesyncConfiguration index = windows [script://.\bin\netsh_address.bat] disabled = 0 ## Run once per day interval = 86400 sourcetype = Script:NetworkConfiguration index = windows ###### Scripted/Powershell Mod inputs Active Directory ###### ## Replication Information NT6 [script://.\bin\runpowershell.cmd nt6-repl-stat.ps1] source = Powershell sourcetype = MSAD:NT6:Replication interval = 300 disabled = 0 index = msad ## Replication Information 2012r2 and 2016 [powershell://Replication-Stats] script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-repl-stats.ps1" schedule = 0 */5 * ? * * source = Powershell sourcetype = MSAD:NT6:Replication disabled = 0 index = msad ## Health and Topology Information NT6 [script://.\bin\runpowershell.cmd nt6-health.ps1] source=Powershell sourcetype = MSAD:NT6:Health interval = 300 disabled = 0 index = msad ## Health and Topology Information 2012r2 and 2016 [powershell://AD-Health] script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1" schedule = 0 */5 * ? * * source = Powershell sourcetype = MSAD:NT6:Health disabled = 0 index = msad ## Site, Site Link and Subnet Information NT6 [script://.\bin\runpowershell.cmd nt6-siteinfo.ps1] source = Powershell sourcetype = MSAD:NT6:SiteInfo interval = 3600 disabled = 0 index = msad ## Site, Site Link and Subnet Information 2012r2 and 2016 [powershell://Siteinfo] script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-siteinfo.ps1" schedule = 0 15 * ? * * source = Powershell sourcetype = MSAD:NT6:SiteInfo disabled = 0 index = msad ##### Scripted Inputs for DNS ##### ## DNS Zone Information Collection [script://.\bin\runpowershell.cmd dns-zoneinfo.ps1] source = Powershell sourcetype = MSAD:NT6:DNS-Zone-Information interval = 3600 disabled = 0 index = msad ## DNS Health Information Collection [script://.\bin\runpowershell.cmd dns-health.ps1] source = Powershell sourcetype = MSAD:NT6:DNS-Health interval = 3600 disabled = 0 index = msad ###### Host monitoring ###### [WinHostMon://Computer] interval = 600 disabled = 0 type = Computer index = windows [WinHostMon://Process] interval = 600 disabled = 0 type = Process index = windows [WinHostMon://Processor] interval = 600 disabled = 0 type = Processor index = windows [WinHostMon://NetworkAdapter] interval = 600 disabled = 0 type = NetworkAdapter index = windows [WinHostMon://Service] interval = 600 disabled = 0 type = Service index = windows [WinHostMon://OperatingSystem] interval = 600 disabled = 0 type = OperatingSystem index = windows [WinHostMon://Disk] interval = 600 disabled = 0 type = Disk index = windows [WinHostMon://Driver] interval = 600 disabled = 0 type = Driver index = windows [WinHostMon://Roles] interval = 600 disabled = 0 type = Roles index = windows ###### Print monitoring ###### [WinPrintMon://printer] type = printer interval = 600 baseline = 1 disabled = 0 index = windows [WinPrintMon://driver] type = driver interval = 600 baseline = 1 disabled = 0 index = windows [WinPrintMon://port] type = port interval = 600 baseline = 1 disabled = 0 index = windows ###### Network monitoring ###### [WinNetMon://inbound] direction = inbound disabled = 0 index = windows [WinNetMon://outbound] direction = outbound disabled = 0 index = windows ###### Splunk 5.0+ Performance Counters ###### ## CPU [perfmon://CPU] disabled = 0 instances = * interval = 10 mode = single object = Processor useEnglishOnly=true index = perfmon ## Logical Disk [perfmon://LogicalDisk] disabled = 0 instances = * interval = 10 mode = single object = LogicalDisk useEnglishOnly=true index = perfmon ## Physical Disk [perfmon://PhysicalDisk] disabled = 0 instances = * interval = 10 mode = single object = PhysicalDisk useEnglishOnly=true index = perfmon ## Memory [perfmon://Memory] disabled = 0 interval = 10 mode = single object = Memory useEnglishOnly=true index = perfmon ## Network [perfmon://Network] disabled = 0 instances = * interval = 10 mode = single object = Network Interface useEnglishOnly=true index = perfmon ## Process [perfmon://Process] disabled = 0 instances = * interval = 10 mode = single object = Process useEnglishOnly = true index = perfmon ## ProcessInformation [perfmon://ProcessorInformation] counters = % Processor Time; Processor Frequency disabled = 0 instances = * interval = 10 mode = single object = Processor Information useEnglishOnly = true index = perfmon ## System [perfmon://System] disabled = 0 instances = * interval = 10 mode = single object = System useEnglishOnly = true index = perfmon ###### Perfmon Inputs from TA-AD/TA-DNS ###### [perfmon://Processor] instances = * interval = 10 disabled = 0 mode = single useEnglishOnly = true index = perfmon [perfmon://Network_Interface] object = Network Interface instances = * interval = 10 disabled = 0 mode = single useEnglishOnly = true index = perfmon [perfmon://DFS_Replicated_Folders] object = DFS Replicated Folders instances = * interval = 30 disabled = 0 mode = single useEnglishOnly = true index = perfmon [perfmon://NTDS] object = NTDS interval = 10 disabled = 0 mode = single useEnglishOnly = true index = perfmon [perfmon://DNS] object = DNS counters = Total Query Received; Total Query Received/sec; UDP Query interval = 10 disabled = 0 mode = single useEnglishOnly = true index = perfmon [admon://default] disabled = 0 monitorSubtree = 1 index = perfmon [WinRegMon://default] disabled = 0 hive = .* proc = .* type = rename|set|delete|create index = perfmon [WinRegMon://hkcu_run] disabled = 0 hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.* proc = .* type = set|create|delete|rename index = perfmon [WinRegMon://hklm_run] disabled = 0 hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.* proc = .* type = set|create|delete|rename index = perfmon

Re: Splunk app for Window infrastructure

richgalloway — Wed, 09 Sep 2020 23:52:37 GMT

Thank you for sharing. Do you have a question?

Re: Splunk app for Window infrastructure

mysplunkbase — Thu, 10 Sep 2020 00:46:13 GMT

My question is: how do I get the msad index to receive data?

topic Re: Splunk app for Window infrastructure in Installation

Splunk app for Window infrastructure

Re: Splunk app for Window infrastructure

Re: Splunk app for Window infrastructure