I have the Splunk App for windows infrastructure up and running. the support SA-ldapsearch is installed along with java and functioning fine as well. I am receiving results on virtually every dashboard included with the app.
The only dashboard I am having issues with is the Administrator Audit. I keep receiving a 'Search query is not resolved." msg in every view on that dashboard. Under Account Domain/Administrator there is a Search Produced no results message and its looking for the default 'Last 15 minutes'.
If I change the 15 minutes to 24 hours, or 1 minuted or some other 'real-time' search, the Account Domain: will start 'Populating' and finally find the Domain, but the Administrator is being hardset to some random user/computer account and will not let me search/choose from an actual Administrator.
I do not see any specific errors in splunkd.log or my SA-ldapsearch log relating to this. Any ideas?
Do you get any results when you run this search?
eventtype=msad-admin-audit NOT src_nt_domain="NT AUTHORITY"|
This is the search that populates the Acount Domain and Administrator drop down menus.
The EventType msad-admin-audit relies on data from the following nested eventtypes. If you're not getting data back from these searches, then there is a problem with your data ingestion.
eventtype=msad-group-changes
eventtype=msad-nt5-group-changes
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
(EventCode=631 OR EventCode=634 OR EventCode=635 OR EventCode=638 OR EventCode=639 OR EventCode=641 OR EventCode=648 OR EventCode=649 OR EventCode=652 OR EventCode=653 OR EventCode=654 OR EventCode=657 OR EventCode=658 OR EventCode=659 OR EventCode=662 OR EventCode=663 OR EventCode=664 OR EventCode=667 OR EventCode=668)
eventtype=msad-nt6-group-changes
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
(EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR EventCode=4734 OR EventCode=4735 OR EventCode=4737 OR EventCode=4744 OR EventCode=4745 OR EventCode=4748 OR EventCode=4749 OR EventCode=4750 OR EventCode=4753 OR EventCode=4754 OR EventCode=4755 OR EventCode=4758 OR EventCode=4759 OR EventCode=4760 OR EventCode=4763 OR EventCode=4764)
eventtype=msad-groupmembership-changes
eventtype=msad-nt5-groupmembership-changes
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
(EventCode=632 OR EventCode=633 OR EventCode=636 OR EventCode=637 OR EventCode=650 OR EventCode=651 OR EventCode=655 OR EventCode=656 OR EventCode=660 OR EventCode=661 OR EventCode=665 OR EventCode=666)
eventtype=msad-nt6-groupmembership-changes
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
(EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4746 OR EventCode=4747 OR EventCode=4751 OR EventCode=4752 OR EventCode=4756 OR EventCode=4757 OR EventCode=4761 OR EventCode=4762)
eventtype=msad-computer-changes
eventtype=msad-nt5-computer-changes
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
(EventCode=645 OR EventCode=646 OR EventCode=647)
eventtype=msad-nt6-computer-changes
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
(EventCode=4741 OR EventCode=4742 OR EventCode=4743)
eventtype=msad-user-changes
eventtype=msad-nt5-user-changes
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
(EventCode=624 OR EventCode=625 OR EventCode=626 OR EventCode=628 OR EventCode=629 OR EventCode=630 OR EventCode=642 OR EventCode=671 OR EventCode=685 OR EventCode=807) user!="*$"
eventtype=msad-nt6-user-changes
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security
(EventCode=4720 OR EventCode=4722 OR EventCode=4724 OR EventCode=4725 OR EventCode=4726 OR EventCode=4738 OR EventCode=4767 OR EventCode=4781 OR EventCode=4912) user!="*$"
eventtype=msad-account-lockout
eventtype=msad-nt5-account-lockout
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security EventCode=644
eventtype=msad-nt6-account-lockout
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security EventCode=4740
eventtype=msad-account-unlock)
eventtype=msad-nt5-account-unlock
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security EventCode=671
eventtype=msad-nt6-account-unlock
sourcetype=WinEventLog:Security OR sourcetype=WMI:WinEventLog:Security OR sourcetype=XmlWinEventLog:Security EventCode=4767
same here.
same problem here, and we are running Splunk 6.1.1 with Splunk App for Windows Infrastructure 1.0.2
Adding the following (in hopes for more search result matches):
This is the URI we are referring to...
dj/en-us/splunk_app_windows_infrastructure/ad/sec_admin_audit/
The path to access via gui is:
Splunk App for Windows Infrastructure --> Active Directory --> Users --> Administrator Audit.
Same problem here...