All Apps and Add-ons

Active Directory not found. How to troubleshoot a problem in Splunk App for Windows Infrastructure?

Communicator

hi splunkers,

I am installing splunk for Windows app in my windows environment. My server is 2012 R2. I followed the instructions in the docs.splunk.com, but I can't see my active directory data. The primary problem is when i click start in dialog box to detection type of data, my data active directory were not found.

For example:
...
Active Directory: Domains not found.
Detecting Domain Controllers
Active Directory: Domain Controllers not found.
Detecting DNS
Active Directory: DNS not found.
Detecting Users
Active Directory: Users found.
...

I checked addons in my server but I don't found my problem.

Any idea ?

0 Karma
1 Solution

Communicator

Hi everyone,

The splunk's eventtype was not configured with "index=msad" in the windows application, when I configured index=msad , I could see my health data in application.

Thank you for attention.

Cheers.

View solution in original post

Communicator

Hi everyone,

The splunk's eventtype was not configured with "index=msad" in the windows application, when I configured index=msad , I could see my health data in application.

Thank you for attention.

Cheers.

View solution in original post

Path Finder

Hi can you pls explain how exactly did you do this ?

Explorer

Hi Dfigurello,
Pls, help me to know how to check index=msad.

Thanks Pro,
Khai

Splunk Employee
Splunk Employee

Hi,

The Windows Infrastructure first-time-run page detects on event types. Even if the data is present, the detection will fail if the event types are not present.

Can you perform the following search and see what data comes back?

eventtype=msad-dc-health

Communicator

When I ran a searh:
index=* source=Powershell sourcetype="MSAD:NT6:Health", I saw 6,220 events.

Any idea?

0 Karma

Communicator

Hi Dungpv,

have you enable audit policies in AD environment ?
Try run the follow search:
index=* source=WinEventLog:Security
What's the result?
Cheers!

0 Karma

Builder

Hi dfigurello ,

I am facing the same issue and ran the search you mentioned above, however, havent got any data. Please suggest workaround

0 Karma

Explorer

Hi dfigurello,

I have same an error. I can detect some data active directory as:

Active Directory: Domains found.
Detecting Domain Controllers
Active Directory: Domain Controllers found.
Detecting DNS
Active Directory: DNS found.

But I can't dectect data from User, Computer, Active Directory. Could you please give me the intruction to detect user,computer, AD?
Many thanks.

0 Karma

Communicator

No results found.
What can be ?

Any idea?

Cheers!

0 Karma

Splunk Employee
Splunk Employee

Do you have SA-ldapsearch on your search heads, and the msad, winevents, and perfmon indexes on your indexers?

0 Karma

Communicator

Hi ChrisG,

Yes I have SA-ldapsearch in my Splunk. In this case, I am working with 01 server.
When I run a search i have the following sourcestypes and sources:

index=msad
source=ActiveDirectory

source=PowerShell

Sourcetype=ActiveDirectory
sourcetype=MSAD:NT6:Replication
sourcetype=Powershell:ScriptExecutionSummary
sourcetype=MSAD:NT6:DNS-Zone-information
sourcetype=MSAD:NT6:Health
sourcetype=MSAD:NT6:SiteInfo
sourcetype=MSAD:NT6:DNS-Health
sourcetype=Powershell:ScriptExecutionErrorRecord

index=winevents
source=WinEventLog:Directory Service
source=WinEventLog:DNS Server

sourcetype=WinEventLog:Directory Service
sourcetype=WinEventLog:DNS Server

index=perfmon
source=Perfmon:Processor
source=Perfmon:NTDS
source=Perfmon:DNS
source=Perfmon:Network_interface

sourcetype=Perfmon:Processor
sourcetype=Perfmon:NTDS
sourcetype=Perfmon:DNS
sourcetype=Perfmon:Network_interface

cheers!

0 Karma

Communicator

Splunk App for Windows Infrastructure
Version 1.0.4

Add-on in my server:
SA-ModularInput-PowerShell
SplunkTAwindows
TA-DNSServer-NT6
TA-DomainController-2012R2

Tks!

0 Karma