All Apps and Add-ons

Splunk Add-on for Microsoft Active Directory: After making inputs.conf edits, why are domain controllers failing to download the deployment app?

maclel
Engager

Hi,

I have installed the new Splunk Add-on for Microsoft Active Directory (hxxps://splunkbase.splunk.com/app/3207/) instead of using the TA-DomainController- as per the latest doco, on all domain controllers but with the [admon://...] disabled as per the best practice article. Then using a different app (TA-DomainController-2012r2 the newer app wasn't installing properly) on two domain controllers for the [admon://...] stanza for AD monitoring. Both server classes for the DCs (1 with admon, 1 without) have the powershell add-on installed and working fine.

For some reason two days ago, the Splunk Add-on for MS AD, after editing the inputs.conf file to also include some security events (Account Management ~4720-4767) so that it is not indexing these events from every end-user system and since they pertain to AD administration. The logs show the app being downloaded fine, but it fails to install on any of the domain controllers. Checksum is correct and Client Sessions Manager doesn't provide any further information on why:

WARN  ClientSessionsManager - ip=<IP> name=D22F86C9-9DFC-4B8C-B89F-... Updating record for sc=_Domain_Controllers app=Splunk_TA_microsoft_ad: action=Install result=Fail checksum=18438656072813161293

Have tried removing, commenting out and disabling the "[WinEventLog://Security]" stanza then because of some other issues that pop of when running the cli cmd I use the Forwarder Management GUI to deploy apps. I have tried deleting the record of the client, uninstalling/removing the app from the client/server class, then placing it back into the group with no luck to get it working again.

Environment:
Linux 6.3.3 Splunk Enterprise servers (Idx cluster; separate SHs; Deploy Svr/LM/Cluster Master)
MSInfra app 1.3.0 (Using the TA-DomainController-2012r2 from the appserver/addons folder, as init. had similar issue installing the new add-on so switched to this one instead for using [admon://..])
SA-ldapsearch 2.1.3
Splunk Add-on for Microsoft Active Directory 1.0.0 (deployed to multiple DCs via UFs)
* DCs mix of 2008 and 2012r2 servers, the new Add-on for MS AD has inputs for both NT6 ('08) and 2012r2 in the one inputs.conf file
Splunk Add-on for Microsoft PowerShell 1.2.1

Also used this blog post from Splunk as well: hxxp://blogs.splunk.com/2014/01/27/working-with-active-directory-on-splunk-universal-forwarders/

0 Karma

cameronr0705
New Member

Have you tried splunk reload deploy server on the deployment server? Is Splunk on the AD servers running as a different user than the workstations? Could you send a copy of the .conf file that is causing the issue?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...