All Apps and Add-ons

How to deploy App for Windows Infrastructure?

dungpv
Explorer

Hi Guys,

I'm a newbiew. I have just installed splunk App for Windows Infrastructure but I have a problem about detect Window & Active Directory feature. I was only following guide from http://docs.splunk.com/Documentation/ActiveDirectory/1.2.2/DeployAD/Deploymentprocess but not sucess. I can't detect full Window, AD feature. The following is log when I tried detect feature.

Detecting Event Monitoring
Windows: Event Monitoring found.
Detecting Performance Monitoring
Windows: Performance Monitoring found.
Detecting Applications and Updates
Windows: Applications and Updates not found.
Detecting Network Monitoring
Windows: Network Monitoring not found.
Detecting Print Monitoring
Windows: Print Monitoring not found.
Detecting Host Monitoring
Windows: Host Monitoring not found.
Detecting Domains
Active Directory: Domains not found.
Detecting Domain Controllers
Active Directory: Domain Controllers not found.
Detecting DNS
Active Directory: DNS not found.
Detecting Users
Active Directory: Users found.
Detecting Computers
Active Directory: Computers found.
Detecting Groups
Active Directory: Groups found.

Please help me solve problem. Thanks for your support.

1 Solution

dungpv
Explorer

Hi rsennett_splunk, ppablo_splunk

This is log file's SAldapsearch.

2014-07-03 16:52:52.702 +0700 pid=544 [com.splunk.ldap.ActiveDirectory:getConnectionForEntry#-1] ERROR Could not find entry xxx in ldap.conf
2014-07-03 16:52:52.702 +0700 pid=544 [com.splunk.program.LDAPFilter:Execute#-1] ERROR No connection available for xxx
2014-07-03 16:52:52.702 +0700 pid=544 [com.splunk.ldap.ActiveDirectory:getConnectionForEntry#-1] ERROR Could not find entry xxx*strong text* in ldap.conf
2014-07-03 16:52:52.702 +0700 pid=544 [com.splunk.program.LDAPFilter:Execute#-1] ERROR No connection available for xxx*strong text*

I don't know why SAldapsearch not connect to AD. The following is file config SAldapsearch.

[default]

server = SOC-LAP02.xxx.com.vn

port = 389

[xxx.com.vn]

server = SOC-LAP02.xxx.com.vn

port = 389

ssl = false

basedn = DC=xxx,DC=com,DC=vn

binddn = cn=Splunk Searcher,OU=Users,DC=xxx,DC=com,DC=vn

password = abc

alternatedomain = xxx

Please help me troubleshooting for this case.

Thanks.

View solution in original post

0 Karma

dungpv
Explorer

This is file inputs config of Splunk_TA_Window. Please check for me about this file?

[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

DHCP

[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt =
sourcetype = DhcpSrvLog

Windows Update Log

[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog

File system change monitor

[fschange:$WINDIR\System32\drivers\etc]
disabled = 0
hashMaxSize = 1048576
pollPeriod = 30

Scripted Input (See also wmi.conf)

[script://.\bin\win_listening_ports.bat]
disabled = 0

Run once per hour

interval = 3600
sourcetype = Script:ListeningPorts

[script://.\bin\win_installed_apps.bat]
disabled = 0

Run once per day

interval = 86400
sourcetype = Script:InstalledApps

[script://.\bin\win_timesync_configuration.bat]
disabled = 0
interval = 86400
sourcetype = Script:TimesyncConfiguration

[script://.\bin\win_timesync_status.bat]
disabled = 0
interval = 7200
sourcetype = Script:TimesyncStatus

Splunk 5.0+ Performance Counters

CPUTime

[perfmon://CPUTime]
counters = % Processor Time;% User Time
disabled = 0
instances = _Total
interval = 10
object = Processor

Disk

[perfmon://FreeDiskSpace]
counters = Free Megabytes;% Free Space
disabled = 0
instances = *
interval = 10
object = LogicalDisk

Memory

[perfmon://Memory]
counters = % Committed Bytes In Use;Available Bytes;Committed Bytes
disabled = 0
interval = 10
object = Memory

Network

[perfmon://LocalNetwork]
counters = Bytes Received/sec;Bytes Sent/sec;Bytes Total/sec;Current Bandwidth
disabled = 0
instances = *
interval = 10
object = Network Interface

Thanks

0 Karma

dungpv
Explorer

Hi rsennett_splunk, ppablo_splunk

This is log file's SAldapsearch.

2014-07-03 16:52:52.702 +0700 pid=544 [com.splunk.ldap.ActiveDirectory:getConnectionForEntry#-1] ERROR Could not find entry xxx in ldap.conf
2014-07-03 16:52:52.702 +0700 pid=544 [com.splunk.program.LDAPFilter:Execute#-1] ERROR No connection available for xxx
2014-07-03 16:52:52.702 +0700 pid=544 [com.splunk.ldap.ActiveDirectory:getConnectionForEntry#-1] ERROR Could not find entry xxx*strong text* in ldap.conf
2014-07-03 16:52:52.702 +0700 pid=544 [com.splunk.program.LDAPFilter:Execute#-1] ERROR No connection available for xxx*strong text*

I don't know why SAldapsearch not connect to AD. The following is file config SAldapsearch.

[default]

server = SOC-LAP02.xxx.com.vn

port = 389

[xxx.com.vn]

server = SOC-LAP02.xxx.com.vn

port = 389

ssl = false

basedn = DC=xxx,DC=com,DC=vn

binddn = cn=Splunk Searcher,OU=Users,DC=xxx,DC=com,DC=vn

password = abc

alternatedomain = xxx

Please help me troubleshooting for this case.

Thanks.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

The Windows Infrastructure App configurator, looks for existing data.
You seem to have none that it can see.
Can you see the data by just searching for it?
If not, what you want to do is open a separate question that addresses that subject and include your configuration files so we can help you. It may be something as simple as a typo...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

dungpv
Explorer

Hi ppablo_splunk,

My version app is 6.X. I have configured to follow link document for version 6.x http://docs.splunk.com/Documentation/MSApp/1.0.2/MSInfra/HowtodeploytheSplunkAppforWindowsInfrastruc... but still not success. The following is log when I tried detect feature after config with the link above:

Detecting Event Monitoring
Windows: Event Monitoring found.
Detecting Performance Monitoring
Windows: Performance Monitoring found.
Detecting Applications and Updates
Windows: Applications and Updates not found.
Detecting Network Monitoring
Windows: Network Monitoring not found.
Detecting Print Monitoring
Windows: Print Monitoring not found.
Detecting Host Monitoring
Windows: Host Monitoring not found.
Detecting Domains
Active Directory: Domains not found.
Detecting Domain Controllers
Active Directory: Domain Controllers not found.
Detecting DNS
Active Directory: DNS not found.
Detecting Users
Active Directory: Users not found.
Detecting Computers
Active Directory: Computers not found.
Detecting Groups
Active Directory: Groups not found.

I think the ad-on SA-ldapsearch not operate. I have configured ad-on SA-ldapsearch follow to link http://docs.splunk.com/Documentation/ActiveDirectory/latest/DeployAD/ConfiguretheSA-ldapsearchsuppor....

Please help me solve problem. Thanks for your support.

0 Karma

ppablo
Retired

Hi @dungpv

What app do you need help with? Your title says App for Windows Infrastructure, but the documentation link you provided in the post is for the 5.X App for Active Directory. From what I can tell, these are two completely different apps with different documentation. Can you confirm which one you are having issues with?

App for Windows Infrastructure:
http://apps.splunk.com/app/1680/

5.X App for Active Directory:
http://apps.splunk.com/app/1059/

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...