All Apps and Add-ons

No data on eventtype=msad-dc-health


I'm trying to get reports on AD from my latest version of Splunk (6.2). It looks like this eventtype is not populated with data yet. Is there another way to verify I'm getting the right indexes populated?

Path Finder

I ran this query to try to figure this out too.

earliest=-7d eventtype=* | stats count by eventtype | Table eventtype, count

eventtype count
external-referer 188526
external-referer perfmon perfmon-index perfmon_logicaldisk perfmon_windows visitor-type-referred windows_performance 0
external-referer perfmon perfmon-index perfmon_windows visitor-type-referred windows_performance 0
external-referer perfmon-index visitor-type-referred wmi_windows 0
external-referer summary-internet-mail visitor-type-referred 1653
external-referer summary-mailbox-size summary-user-population visitor-type-referred 2408
external-referer summary-user-mail visitor-type-referred 3176
perfmon 177706
perfmon-index 187500
perfmon_logicaldisk 7777
perfmon_windows 177706
visitor-type-referred 188526
windows_performance 177706
windows_updatelog 1026
windows_updatelog_status 16
windowsupdatelog_windows 1026
wmi_windows 13756

I set my index to MSAD when I set up forwarders on all my DCs (see Settings--> Data Inputs --> Remote Eventlog Collections)

But there do not appear to be any eventtypes = msad-successful-user-logons or msad-dc-health as many splunk AD infrastructure documents suggest.

There must be some setting that maps these events ID to "eventtypes" . I think there is a -nt6- now in between

msad-account-lockout 8
msad-account-unlock 2
msad-ad-access 56
msad-admin-audit 18
msad-computer-changes 7
msad-disabled-logons 787
msad-dns-events 12
msad-failed-computer-logons 79
msad-failed-user-logons 800
msad-group-changes 1
msad-groupmembership-changes 1
msad-nt5-successful-user-logons 210
msad-nt6-account-lockout 8
msad-nt6-account-unlock 2
msad-nt6-ad-access 56
msad-nt6-computer-changes 7
msad-nt6-computer-changes 7
msad-nt6-disabled-logons 787
msad-nt6-failed-computer-logons 79
msad-nt6-failed-user-logons 800
msad-nt6-group-changes 1
msad-nt6-groupmembership-changes 1
msad-nt6-password-changes 4
msad-nt6-successful-computer-logons 166356
msad-nt6-successful-user-logons 60594
msad-nt6-user-changes 8
msad-password-changes 4
msad-successful-computer-logons 166356
msad-successful-user-logons 60804
msad-user-changes 8

0 Karma

Splunk Employee
Splunk Employee

Events for AD go into the msad index. Are your indexers configured with that index? Can you perform a search and see any data in that index?

0 Karma


When I do a index=msad, i do see data in it.

host = hostname source = Powershell sourcetype = MSAD:NT5:DNS-Zone-Information
7:59:01.000 AM
host = hostname source = Powershell sourcetype = MSAD:NT5:DNS-Zone-Information
7:58:52.409 AM
host = hostname source = ActiveDirectory sourcetype = ActiveDirectory

However, when I do a Guided Setup, under Tools and Settings, I see these errors,

` Data from Splunk Add-on for Microsoft Windows Active Directory

Critical data could not be found

OK: 10 or more events detected in the last 24 hours

ERROR: Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours

ERROR: Search "sourcetype="ActiveDirectory*" | head 5" did not return any events in the last 24 hours`

So I think there is data but its not going to the right index?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...