Re: No data on eventtype=msad-dc-health

kkossery · ‎04-10-2015

I'm trying to get reports on AD from my latest version of Splunk (6.2). It looks like this eventtype is not populated with data yet. Is there another way to verify I'm getting the right indexes populated?

schultet · ‎05-06-2015

I ran this query to try to figure this out too.

earliest=-7d eventtype=* | stats count by eventtype | Table eventtype, count

eventtype count
external-referer 188526
external-referer perfmon perfmon-index perfmon_logicaldisk perfmon_windows visitor-type-referred windows_performance 0
external-referer perfmon perfmon-index perfmon_windows visitor-type-referred windows_performance 0
external-referer perfmon-index visitor-type-referred wmi_windows 0
external-referer summary-internet-mail visitor-type-referred 1653
external-referer summary-mailbox-size summary-user-population visitor-type-referred 2408
external-referer summary-user-mail visitor-type-referred 3176
perfmon 177706
perfmon-index 187500
perfmon_logicaldisk 7777
perfmon_windows 177706
visitor-type-referred 188526
windows_performance 177706
windows_updatelog 1026
windows_updatelog_status 16
windowsupdatelog_windows 1026
wmi_windows 13756

I set my index to MSAD when I set up forwarders on all my DCs (see Settings--> Data Inputs --> Remote Eventlog Collections)

But there do not appear to be any eventtypes = msad-successful-user-logons or msad-dc-health as many splunk AD infrastructure documents suggest.

There must be some setting that maps these events ID to "eventtypes" . I think there is a -nt6- now in between

msad-account-lockout 8
msad-account-unlock 2
msad-ad-access 56
msad-admin-audit 18
msad-computer-changes 7
msad-disabled-logons 787
msad-dns-events 12
msad-failed-computer-logons 79
msad-failed-user-logons 800
msad-group-changes 1
msad-groupmembership-changes 1
msad-nt5-successful-user-logons 210
msad-nt6-account-lockout 8
msad-nt6-account-unlock 2
msad-nt6-ad-access 56
msad-nt6-computer-changes 7
msad-nt6-computer-changes 7
msad-nt6-disabled-logons 787
msad-nt6-failed-computer-logons 79
msad-nt6-failed-user-logons 800
msad-nt6-group-changes 1
msad-nt6-groupmembership-changes 1
msad-nt6-password-changes 4
msad-nt6-successful-computer-logons 166356
msad-nt6-successful-user-logons 60594
msad-nt6-user-changes 8
msad-password-changes 4
msad-successful-computer-logons 166356
msad-successful-user-logons 60804
msad-user-changes 8

malmoore · ‎04-14-2015

Events for AD go into the msad index. Are your indexers configured with that index? Can you perform a search and see any data in that index?

kkossery · ‎04-15-2015

When I do a index=msad, i do see data in it.

host = hostname source = Powershell sourcetype = MSAD:NT5:DNS-Zone-Information 4/15/15 7:59:01.000 AM System.Collections.ArrayList host = hostname source = Powershell sourcetype = MSAD:NT5:DNS-Zone-Information 4/15/15 7:58:52.409 AM wWWHomePage=OptionalProperties host = hostname source = ActiveDirectory sourcetype = ActiveDirectory

However, when I do a Guided Setup, under Tools and Settings, I see these errors,

` Data from Splunk Add-on for Microsoft Windows Active Directory

Critical data could not be found

OK: 10 or more events detected in the last 24 hours

ERROR: Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours

ERROR: Search "sourcetype="ActiveDirectory*" | head 5" did not return any events in the last 24 hours`

So I think there is data but its not going to the right index?

No data on eventtype=msad-dc-health

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes