I installed the app for windows infrastucture, then the app for *nix. Now, when i go in to the app for *nix, I get a message at the top saying eventtypes for wineventlog-ds and wineventlog-dns do not exist. This message doesn't appear any where else.
There are pre-req's that are required to have the correct knowledge objects for Windows Infrastructure app. If these are not on the same Search Head as the windows infrastructure app it will give you those errors.
The Splunk Add-ons for Microsoft Active Directory and Windows DNS v1.0.0 or later
The suite of Splunk Add-ons for Active Directory must be installed on universal forwarders in the Windows deployment.
You can download the Splunk Add-ons for Microsoft Active Directory and Windows DNS from Splunkbase.
I was able to resolve this by editing this file:
C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\eventtypes.conf
(and doing find-> "wineventlog-dns" ) and then commenting out that one stanza (was a stanza not relevant to me, espeically since it wasnt working anyway). I did the same thing for "wineventlog-ds" as i was getting an error on that as well. tks
Previous solutions did not work for me. Might be due to version differences.
What worked for me was simply adding the wineventlog-ds eventtype to the app for windows infrastructure.
IE from within the Splunk App for Windows Infrastructure, click Settings --> Event Types --> New Event Type
and add an event type as per the screenshot below:
To resolve this I disabled export=system in default meta here: /splunk_app_windows_infrastructure/metadata
[eventtypes]
export = None
# export = system
Changed it to export=none so that other apps are not trying to use the eventtypes from the windows infra app.
I tried this solutions but then some of my other reports that use the SPLUNK App For Windows Infrastructure stopped showing reults.
[eventtypes]
export = None
# export = system
export = app1, app2, etc
Where app1 and app2 are the apps that need it
There are pre-req's that are required to have the correct knowledge objects for Windows Infrastructure app. If these are not on the same Search Head as the windows infrastructure app it will give you those errors.
The Splunk Add-ons for Microsoft Active Directory and Windows DNS v1.0.0 or later
The suite of Splunk Add-ons for Active Directory must be installed on universal forwarders in the Windows deployment.
You can download the Splunk Add-ons for Microsoft Active Directory and Windows DNS from Splunkbase.
I just encountered this issue after upgrading Infrastructure app from 1.2 to 1.3, installed dns app and now alert is gone......thanks!
now i see the DS error but not the DNS error, how does one get rid off the ds error? I just upgraded 1.3
Eventtype 'wineventlog-ds' does not exist or is disabled
TY....I had the wrong app installed, I installed Splunk Supporting Add-on for Active Directory instead of Splunk Add-on for Microsoft Active Directory....issue solved, thanks for the second pair of eyes 😉
Thanks! Turns out I had missed a couple of the Add-ons that were required!
But I'm not using Active Directory or windows DNS on these servers. Also, the error only shows up in the App for *nix.
If you have the Windows Infrastructure app installed on this SH, it requires knowledge objects from the AD and DNS apps so these need to be installed to make those messages go away.
The alternative is to disable the eventtypes (which if you are not using AD or DNS should not have any impact on the Windows Infrastructure functionality)
Create a /splunk_app_windows_infrastructure/local/eventtypes.conf file with the following to disable the unneeded eventtypes. This should suppress those messages
[msad-anomalous-events]
disabled=1
[msad-dirsvcs-anomalous-events]
disabled=1
[msad-rep-errors]
disabled=1
[msad-dns-events]
disabled=1