All Apps and Add-ons

No result in active directoy app

sd100
Explorer

Hello, i spent some time configuring my active directoy app, but no results are coming up from the dashboard. every graph say : "no results found"
If i remove 'host!="*" ' from a search (let say : the security->logon failed search) : I DO get a result. Same thing happens on some other search.

Log are coming in correctly : logs are coming from a forwarder with TA_addon going to "winevents" index (i changed the inputs.conf). On the indexer : TA_addon is installed but not configured, sa_ldapsearch is installed and configured, Activedirectory app is installed and searching in winevents index (i changed the eventypes.conf).

Version used of TA_ADDON is 4.6, Activedirectory : 1.1.3

Should i modify the app to remove host!="*" in every search?? Any idea what i'm doing wrong?

Thanks

1 Solution

MarioM
Motivator

Make sure you have the right TA (NT5 > win2003,NT6 win2008) in the domain controller's splunk forwarder :

TA-DNSServer-NT5
TA-DNSServer-NT6
TA-DomainController-NT5
TA-DomainController-NT6

You can find them in splunk\etc\apps\Splunk_for_ActiveDirectory\appserver\addons

View solution in original post

0 Karma

sd100
Explorer

In dashboard : Security->user logon failures : the graphs are empty : "no results found. inspect...", if i click on inspect, the search contains this host!="". If i copy/paste this search WITHOUT the host!="", i'm getting a result
But i guess the trouble is elsewhere : the upper part of the dashboard is empty (in Forest, domain,..).
Part of the answer is that my forwarder on my domain controller only contains the TA_windows app
I forgot to add the apps TA-DNSServer-NT6 and TA-DomainController-NT6 on the domain controller
(you get them in active_directory/appserver/addons on your indexer)

MarioM
Motivator

Make sure you have the right TA (NT5 > win2003,NT6 win2008) in the domain controller's splunk forwarder :

TA-DNSServer-NT5
TA-DNSServer-NT6
TA-DomainController-NT5
TA-DomainController-NT6

You can find them in splunk\etc\apps\Splunk_for_ActiveDirectory\appserver\addons

0 Karma

sd100
Explorer

Copied the app on the domain controller' forwarder, restarted the service, and boom : graphs are OK, domain and site appear at the top of active directory app... Great thanks

0 Karma

MarioM
Motivator

where do you have this host!="*" because i cannot find it in any of the app's conf file?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...