I have a single instance of Splunk Enterprise on 7.1.2 running on Linux. My requirement is to get data in from our Windows Active Directory Domain Controllers. I have installed the "Splunk App For Windows Infrastructure" on my Splunk server and accordingly configured the TA for windows, TA for DNS and TA for Active Directory & deployed the same components to my Windows AD server as per the instructions mentioned in the documentation of that app.
The issue that i am facing is, i am getting all the data in (from my Windows AD server) in Splunk except from whatever inputs that have been configured in inputs.conf of Splunk_TA_windows. For instance if i run a simple search for
source="WinEventLog:Security" | host="<our-AD-server>" , it returns 0 results. Like wise other searches for other input stanzas such as
source="c:\\windows\\system32\\dns\\dns.log" also return 0 results.
Below is the snippet of my C:\Program Files\SplunkUnivForwarder\SplunkTA_Windows\local\inputs.conf from our Windows AD Server.
[WinEventLog://Security] checkpointInterval = 5 current_only = 0 disabled = 0 start_from = oldest suppress_text = 1 [monitor://C:\Windows\System32\dns\dns.log] disabled = false [admon://NearestDC] monitorSubtree = 1
I am able to get other events & sourcetypes from this AD server such as PerfMON stats and other AD related information from the AD server so there isnt a network connectivity issue or firewall issue. Screenshot attached.
Can someone advise what might be causing the inputs.conf defined in "TA for Windows" to not work ? While installing the UF on Windows AD server, i used "local system" account for installing which shouldn't make a difference i believe.
Adonio, thanks a bunch. That worked. But any reason that these events & their count did not show up earlier while searching for "host=AD Server" and right click on the "Sources" or Sourcetypes" In the fields bar on left ?
The moment i ran the search for index=* and index=main, i can see they got listed under Source & Sourcetypes fields on left.
This may be because of "srchIndexesDefault" setting for a user. srchIndexesDefault - is a semicolon-delimited list of indexes to search when no index is specified.
So, if you don't specify the index name in your search, splunk will look at default indexes to search. Hence, inconsistencies in results.
Below is more information of this setting:
* A semicolon-delimited list of indexes to search when no index is specified.
* These indexes can be wild-carded (""), with the exception that '' does not
match internal indexes.
* To match internal indexes, start with ''. All internal indexes are
represented by ''.
* The wildcard character '' is limited to match either all the non-internal
indexes or all the internal indexes, but not both at once.
* If you make any changes in the "Indexes searched by default" Settings panel
for a role in Splunk Web, those values take precedence, and any wildcards
you specify in this setting are lost.
* Defaults to none.