All Apps and Add-ons

App for Windows Infrastructure can't track AD Users or Groups - what am I missing?

keinsignal
Engager

I'm guessing somewhere along the way I skipped an important step, but I'm hoping somebody can give me some way to troubleshoot this issue without having to start over from scratch... I'm working with a very simple setup here, with a single Splunk server, and a universal forwarder (plus the relevant apps) installed on one of our two local domain controllers (2008 R2).

I've tested LDAP searches, that seems to be working. Security logging on the DC is auditing everything except "process tracking". Data is clearly flowing into Splunk, but the app claims that data for "Users", "Groups", and "Computers" is not found when I run the auto-setup.

(Weird and probably irrelevant aside: "Computers" did actually show up during one attempt, but never since. I did not make any change I can think of that would have caused this, was literally just hitting the "Detect" button over and over again thinking maybe the issue was that maybe not enough log data had been imported yet).

0 Karma
1 Solution

jbernt_splunk
Splunk Employee
Splunk Employee

The searches for auto-detection in our First Time Run experience are only within the last 15 minutes, which would explain why you saw a computer event. If you explicitly check those items, you should see them show up in the pages associated with those items.

View solution in original post

jbernt_splunk
Splunk Employee
Splunk Employee

The searches for auto-detection in our First Time Run experience are only within the last 15 minutes, which would explain why you saw a computer event. If you explicitly check those items, you should see them show up in the pages associated with those items.

jbernt_splunk
Splunk Employee
Splunk Employee

Glad I could answer it. 🙂
Give it a try, check those boxes, and look at some of the user/computer/etc. related items under Active Directory in the navigation menu. You should start seeing your data show up given an appropriate time frame.

Ibbers
Explorer

Oh, so the timeframe for the initial check is the last 15min?

And the solution to the "not found" warning is to check the boxes anyway, save, and then wait for the Win Infra dashboards to present the data?

0 Karma

keinsignal
Engager

Well now I feel a bit silly for not trying that. Thanks!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...