hi splunkers,
I am installing splunk for Windows app in my windows environment. My server is 2012 R2. I followed the instructions in the docs.splunk.com, but I can't see my active directory data. The primary problem is when i click start in dialog box to detection type of data, my data active directory were not found.
For example:
...
Active Directory: Domains not found.
Detecting Domain Controllers
Active Directory: Domain Controllers not found.
Detecting DNS
Active Directory: DNS not found.
Detecting Users
Active Directory: Users found.
...
I checked addons in my server but I don't found my problem.
Any idea ?
Hi everyone,
The splunk's eventtype was not configured with "index=msad" in the windows application, when I configured index=msad , I could see my health data in application.
Thank you for attention.
Cheers.
Hi everyone,
The splunk's eventtype was not configured with "index=msad" in the windows application, when I configured index=msad , I could see my health data in application.
Thank you for attention.
Cheers.
Hi can you pls explain how exactly did you do this ?
Hi Dfigurello,
Pls, help me to know how to check index=msad.
Thanks Pro,
Khai
Hi,
The Windows Infrastructure first-time-run page detects on event types. Even if the data is present, the detection will fail if the event types are not present.
Can you perform the following search and see what data comes back?
eventtype=msad-dc-health
When I ran a searh:
index=* source=Powershell sourcetype="MSAD:NT6:Health", I saw 6,220 events.
Any idea?
Hi Dungpv,
have you enable audit policies in AD environment ?
Try run the follow search:
index=* source=WinEventLog:Security
What's the result?
Cheers!
Hi dfigurello ,
I am facing the same issue and ran the search you mentioned above, however, havent got any data. Please suggest workaround
Hi dfigurello,
I have same an error. I can detect some data active directory as:
Active Directory: Domains found.
Detecting Domain Controllers
Active Directory: Domain Controllers found.
Detecting DNS
Active Directory: DNS found.
But I can't dectect data from User, Computer, Active Directory. Could you please give me the intruction to detect user,computer, AD?
Many thanks.
No results found.
What can be ?
Any idea?
Cheers!
Do you have SA-ldapsearch on your search heads, and the msad
, winevents
, and perfmon
indexes on your indexers?
Hi ChrisG,
Yes I have SA-ldapsearch in my Splunk. In this case, I am working with 01 server.
When I run a search i have the following sourcestypes and sources:
index=msad
source=ActiveDirectory
Sourcetype=ActiveDirectory
sourcetype=MSAD:NT6:Replication
sourcetype=Powershell:ScriptExecutionSummary
sourcetype=MSAD:NT6:DNS-Zone-information
sourcetype=MSAD:NT6:Health
sourcetype=MSAD:NT6:SiteInfo
sourcetype=MSAD:NT6:DNS-Health
sourcetype=Powershell:ScriptExecutionErrorRecord
index=winevents
source=WinEventLog:Directory Service
source=WinEventLog:DNS Server
sourcetype=WinEventLog:Directory Service
sourcetype=WinEventLog:DNS Server
index=perfmon
source=Perfmon:Processor
source=Perfmon:NTDS
source=Perfmon:DNS
source=Perfmon:Network_interface
sourcetype=Perfmon:Processor
sourcetype=Perfmon:NTDS
sourcetype=Perfmon:DNS
sourcetype=Perfmon:Network_interface
cheers!
Splunk App for Windows Infrastructure
Version 1.0.4
Add-on in my server:
SA-ModularInput-PowerShell
Splunk_TA_windows
TA-DNSServer-NT6
TA-DomainController-2012R2
Tks!