All Apps and Add-ons

Message "Eventtype 'wineventlog-ds' does not exist or is disabled" appears in splunk app for *nix

gregbo
Communicator

alt text

I installed the app for windows infrastucture, then the app for *nix. Now, when i go in to the app for *nix, I get a message at the top saying eventtypes for wineventlog-ds and wineventlog-dns do not exist. This message doesn't appear any where else.

Tags (1)
1 Solution

tsweet_splunk
Splunk Employee
Splunk Employee

There are pre-req's that are required to have the correct knowledge objects for Windows Infrastructure app. If these are not on the same Search Head as the windows infrastructure app it will give you those errors.

http://docs.splunk.com/Documentation/MSApp/1.3.0/MSInfra/Platformandhardwarerequirements#The_Splunk_...

The Splunk Add-ons for Microsoft Active Directory and Windows DNS v1.0.0 or later

The suite of Splunk Add-ons for Active Directory must be installed on universal forwarders in the Windows deployment.

You can download the Splunk Add-ons for Microsoft Active Directory and Windows DNS from Splunkbase.

View solution in original post

spunk311z
Path Finder

I was able to resolve this by editing this file:

C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\eventtypes.conf

(and doing find-> "wineventlog-dns" ) and then commenting out that one stanza (was a stanza not relevant to me, espeically since it wasnt working anyway). I did the same thing for "wineventlog-ds" as i was getting an error on that as well. tks

0 Karma

tnesavich_splun
Splunk Employee
Splunk Employee

Previous solutions did not work for me. Might be due to version differences.

What worked for me was simply adding the wineventlog-ds eventtype to the app for windows infrastructure.

IE from within the Splunk App for Windows Infrastructure, click Settings --> Event Types --> New Event Type

and add an event type as per the screenshot below:
https://i.imgsafe.org/9d/9d900d1c7b.png

0 Karma

jkat54
SplunkTrust
SplunkTrust

To resolve this I disabled export=system in default meta here: /splunk_app_windows_infrastructure/metadata

[eventtypes]
export = None
# export = system

Changed it to export=none so that other apps are not trying to use the eventtypes from the windows infra app.

s_dparker
New Member

I tried this solutions but then some of my other reports that use the SPLUNK App For Windows Infrastructure stopped showing reults.

[eventtypes]
export = None
# export = system

0 Karma

jkat54
SplunkTrust
SplunkTrust

export = app1, app2, etc

Where app1 and app2 are the apps that need it

0 Karma

tsweet_splunk
Splunk Employee
Splunk Employee

There are pre-req's that are required to have the correct knowledge objects for Windows Infrastructure app. If these are not on the same Search Head as the windows infrastructure app it will give you those errors.

http://docs.splunk.com/Documentation/MSApp/1.3.0/MSInfra/Platformandhardwarerequirements#The_Splunk_...

The Splunk Add-ons for Microsoft Active Directory and Windows DNS v1.0.0 or later

The suite of Splunk Add-ons for Active Directory must be installed on universal forwarders in the Windows deployment.

You can download the Splunk Add-ons for Microsoft Active Directory and Windows DNS from Splunkbase.

mtime24
Path Finder

I just encountered this issue after upgrading Infrastructure app from 1.2 to 1.3, installed dns app and now alert is gone......thanks!

0 Karma

mtime24
Path Finder

now i see the DS error but not the DNS error, how does one get rid off the ds error? I just upgraded 1.3
Eventtype 'wineventlog-ds' does not exist or is disabled

0 Karma

tsweet_splunk
Splunk Employee
Splunk Employee

Active Directory app is also needed:

https://splunkbase.splunk.com/app/3207/

enjoy

mtime24
Path Finder

TY....I had the wrong app installed, I installed Splunk Supporting Add-on for Active Directory instead of Splunk Add-on for Microsoft Active Directory....issue solved, thanks for the second pair of eyes 😉

0 Karma

mschmunk06
Engager

Thanks! Turns out I had missed a couple of the Add-ons that were required!

0 Karma

gregbo
Communicator

But I'm not using Active Directory or windows DNS on these servers. Also, the error only shows up in the App for *nix.

0 Karma

tsweet_splunk
Splunk Employee
Splunk Employee

If you have the Windows Infrastructure app installed on this SH, it requires knowledge objects from the AD and DNS apps so these need to be installed to make those messages go away.

The alternative is to disable the eventtypes (which if you are not using AD or DNS should not have any impact on the Windows Infrastructure functionality)

Create a /splunk_app_windows_infrastructure/local/eventtypes.conf file with the following to disable the unneeded eventtypes. This should suppress those messages

[msad-anomalous-events]
disabled=1

[msad-dirsvcs-anomalous-events]
disabled=1

[msad-rep-errors]
disabled=1

[msad-dns-events]
disabled=1
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...