All Apps and Add-ons

Splunk Add-on for Microsoft Windows Active Directory: Why does my search "sourcetype="ActiveDirectory*" | head 5" not return any events?

wilhelmF
Path Finder

Hi,

we are having trouble receiving events from sourcetype="ActiveDirectory*". We did everything what was explained in the documentation:
- amend GPO Group Policies
- amend PowerShell Settings for local and remote singed script execution
- install Splunk Add-on for Microsoft Powershell
- install Splunk Add-on for Microsoft Windows Active Directory

we are receiving most data from active directory but sourcetype="ActiveDirectory*" is missing. Splunk Add-on for Microsoft Powershell seems to work properly. Group Policies are set right. The other checks on msad index went well. We can see events arriving in msad. (Please have a look at below screenshot from the guided setup in the Splunk App for Windows Infrastructure.) Any ideas?

alt text

0 Karma

wilhelmF
Path Finder

Thank you for your answer:

  1. I added the necessarcy Indexes to my role. Also I should be allowed to read all Indexes. I tried adding index=* before my search. Still no success.
  2. I don't use custom Indexes.
  3. I see some Events for sourcetype="WinEventLog:Directory-Service" but to few. My question here is: If the sourcetype for Active Directory should be sourcetype="WinEventLog:Directory-Service" why then the Windows Infrastructure App is searching for sourcetype="ActiveDirectory*"

Thanks

0 Karma

3no
Communicator

Can you check this points ?

1 - Are you sending your logs to the main index ? Check your role maybe you don't have access by default to this index.
You can also try adding index=* or index=[your_index_name] before you search.

2- If you are using a custom index make sure it's well defined on you indexers and that you can access it.

3 - Also I'm pretty sure that by default the sourcetype for Active Directory should be something like sourcetype="WinEventLog:Directory Service"

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...