All Apps and Add-ons

No data on eventtype=msad-dc-health

kkossery
Communicator

I'm trying to get reports on AD from my latest version of Splunk (6.2). It looks like this eventtype is not populated with data yet. Is there another way to verify I'm getting the right indexes populated?

schultet
Path Finder

I ran this query to try to figure this out too.

earliest=-7d eventtype=* | stats count by eventtype | Table eventtype, count

eventtype count
external-referer 188526
external-referer perfmon perfmon-index perfmon_logicaldisk perfmon_windows visitor-type-referred windows_performance 0
external-referer perfmon perfmon-index perfmon_windows visitor-type-referred windows_performance 0
external-referer perfmon-index visitor-type-referred wmi_windows 0
external-referer summary-internet-mail visitor-type-referred 1653
external-referer summary-mailbox-size summary-user-population visitor-type-referred 2408
external-referer summary-user-mail visitor-type-referred 3176
perfmon 177706
perfmon-index 187500
perfmon_logicaldisk 7777
perfmon_windows 177706
visitor-type-referred 188526
windows_performance 177706
windows_updatelog 1026
windows_updatelog_status 16
windowsupdatelog_windows 1026
wmi_windows 13756

I set my index to MSAD when I set up forwarders on all my DCs (see Settings--> Data Inputs --> Remote Eventlog Collections)

But there do not appear to be any eventtypes = msad-successful-user-logons or msad-dc-health as many splunk AD infrastructure documents suggest.

There must be some setting that maps these events ID to "eventtypes" . I think there is a -nt6- now in between

msad-account-lockout 8
msad-account-unlock 2
msad-ad-access 56
msad-admin-audit 18
msad-computer-changes 7
msad-disabled-logons 787
msad-dns-events 12
msad-failed-computer-logons 79
msad-failed-user-logons 800
msad-group-changes 1
msad-groupmembership-changes 1
msad-nt5-successful-user-logons 210
msad-nt6-account-lockout 8
msad-nt6-account-unlock 2
msad-nt6-ad-access 56
msad-nt6-computer-changes 7
msad-nt6-computer-changes 7
msad-nt6-disabled-logons 787
msad-nt6-failed-computer-logons 79
msad-nt6-failed-user-logons 800
msad-nt6-group-changes 1
msad-nt6-groupmembership-changes 1
msad-nt6-password-changes 4
msad-nt6-successful-computer-logons 166356
msad-nt6-successful-user-logons 60594
msad-nt6-user-changes 8
msad-password-changes 4
msad-successful-computer-logons 166356
msad-successful-user-logons 60804
msad-user-changes 8

0 Karma

malmoore
Splunk Employee
Splunk Employee

Events for AD go into the msad index. Are your indexers configured with that index? Can you perform a search and see any data in that index?

0 Karma

kkossery
Communicator

When I do a index=msad, i do see data in it.

host = hostname source = Powershell sourcetype = MSAD:NT5:DNS-Zone-Information
4/15/15
7:59:01.000 AM
System.Collections.ArrayList
host = hostname source = Powershell sourcetype = MSAD:NT5:DNS-Zone-Information
4/15/15
7:58:52.409 AM
wWWHomePage=OptionalProperties
host = hostname source = ActiveDirectory sourcetype = ActiveDirectory

However, when I do a Guided Setup, under Tools and Settings, I see these errors,

` Data from Splunk Add-on for Microsoft Windows Active Directory

Critical data could not be found

OK: 10 or more events detected in the last 24 hours

ERROR: Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours

ERROR: Search "sourcetype="ActiveDirectory*" | head 5" did not return any events in the last 24 hours`

So I think there is data but its not going to the right index?

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...