All Apps and Add-ons

Help a newbie setup windows infrastructure app

jbleich
Path Finder

I will first admit I'm a splunk newbie, we are in the "sizing" stage, have not purchased yet, but pretty sure we will. Anyways, I'm trying to get this windows infrastructure app working. I have splunk v6.1 installed, I have the correct GPOs on the DCs.

Now when you come to help, start off easy :), remember I'm a newbie 🙂

0 Karma

mcronkrite
Splunk Employee
Splunk Employee

Make sure you have a Splunk Universal Forwarder with Splunk_TA_Windows installed on it configured to send windows event logs.

Go to the Windows Infrastructure App, then go to Settings and Event Types.
You should see something that looks like this screen shot. win app event types
You'll want to try these searches and see where you have data, for example you can search this:

search index=* eventtype=msad-nt5-successful-user-logons OR eventtype=msad-nt6-successful-user-logons

Check to see where you have data by searching for these event types, for example start with:

search index=* eventtype=wineventlog-security

Do you see EventCode as an interesting field?
If not then you don't have the right permissions set on the knowledge objects for this app.

Look for the eventtype=wineventlog-security definition and make sure that it matches your environment.
Save it and try these eventtypes searches again.

0 Karma

ldgrube
Engager

I'm seeing the same issue. I believe it is because if you look at the default config files in both the App and the Windows TA add-ons, the indexes are NOT the same. The Win Infra App looks for windows event logs in an index named "winevents" while the TA-Add-On saves event logs to index "wineventlog". I'm not sure how the Infra App config file could possibly work since it doesn't even look in the same locations". I'm working on trying to fix all of those mis-matches myself.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Did you start with the documentation? It includes a New to Splunk? topic as well as detailed installation and configuration instructions and troubleshooting information.

Did you configure event types and build the lookup tables?

jbleich
Path Finder

Sorry, so I've installed the App on indexer and forwarders on my DCs, when i go to do the detect in the app it just says "not found" for all of the detects, things like domain, DCs, group policy etc...there's 12 things it detects for and none of them are found.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

What is your question? People are more likely to respond to specific questions than to generic "please help" postings.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...