All Apps and Add-ons

Active Directory not found. How to troubleshoot a problem in Splunk App for Windows Infrastructure?

dfigurello
Communicator

hi splunkers,

I am installing splunk for Windows app in my windows environment. My server is 2012 R2. I followed the instructions in the docs.splunk.com, but I can't see my active directory data. The primary problem is when i click start in dialog box to detection type of data, my data active directory were not found.

For example:
...
Active Directory: Domains not found.
Detecting Domain Controllers
Active Directory: Domain Controllers not found.
Detecting DNS
Active Directory: DNS not found.
Detecting Users
Active Directory: Users found.
...

I checked addons in my server but I don't found my problem.

Any idea ?

0 Karma
1 Solution

dfigurello
Communicator

Hi everyone,

The splunk's eventtype was not configured with "index=msad" in the windows application, when I configured index=msad , I could see my health data in application.

Thank you for attention.

Cheers.

View solution in original post

dfigurello
Communicator

Hi everyone,

The splunk's eventtype was not configured with "index=msad" in the windows application, when I configured index=msad , I could see my health data in application.

Thank you for attention.

Cheers.

neerajshah81
Path Finder

Hi can you pls explain how exactly did you do this ?

khaihuynhit
Explorer

Hi Dfigurello,
Pls, help me to know how to check index=msad.

Thanks Pro,
Khai

malmoore
Splunk Employee
Splunk Employee

Hi,

The Windows Infrastructure first-time-run page detects on event types. Even if the data is present, the detection will fail if the event types are not present.

Can you perform the following search and see what data comes back?

eventtype=msad-dc-health

dfigurello
Communicator

When I ran a searh:
index=* source=Powershell sourcetype="MSAD:NT6:Health", I saw 6,220 events.

Any idea?

0 Karma

dfigurello
Communicator

Hi Dungpv,

have you enable audit policies in AD environment ?
Try run the follow search:
index=* source=WinEventLog:Security
What's the result?
Cheers!

0 Karma

damode
Motivator

Hi dfigurello ,

I am facing the same issue and ran the search you mentioned above, however, havent got any data. Please suggest workaround

0 Karma

dungpv
Explorer

Hi dfigurello,

I have same an error. I can detect some data active directory as:

Active Directory: Domains found.
Detecting Domain Controllers
Active Directory: Domain Controllers found.
Detecting DNS
Active Directory: DNS found.

But I can't dectect data from User, Computer, Active Directory. Could you please give me the intruction to detect user,computer, AD?
Many thanks.

dfigurello
Communicator

No results found.
What can be ?

Any idea?

Cheers!

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Do you have SA-ldapsearch on your search heads, and the msad, winevents, and perfmon indexes on your indexers?

0 Karma

dfigurello
Communicator

Hi ChrisG,

Yes I have SA-ldapsearch in my Splunk. In this case, I am working with 01 server.
When I run a search i have the following sourcestypes and sources:

index=msad
source=ActiveDirectory

source=PowerShell

Sourcetype=ActiveDirectory
sourcetype=MSAD:NT6:Replication
sourcetype=Powershell:ScriptExecutionSummary
sourcetype=MSAD:NT6:DNS-Zone-information
sourcetype=MSAD:NT6:Health
sourcetype=MSAD:NT6:SiteInfo
sourcetype=MSAD:NT6:DNS-Health
sourcetype=Powershell:ScriptExecutionErrorRecord

index=winevents
source=WinEventLog:Directory Service
source=WinEventLog:DNS Server

sourcetype=WinEventLog:Directory Service
sourcetype=WinEventLog:DNS Server

index=perfmon
source=Perfmon:Processor
source=Perfmon:NTDS
source=Perfmon:DNS
source=Perfmon:Network_interface

sourcetype=Perfmon:Processor
sourcetype=Perfmon:NTDS
sourcetype=Perfmon:DNS
sourcetype=Perfmon:Network_interface

cheers!

dfigurello
Communicator

Splunk App for Windows Infrastructure
Version 1.0.4

Add-on in my server:
SA-ModularInput-PowerShell
Splunk_TA_windows
TA-DNSServer-NT6
TA-DomainController-2012R2

Tks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...