All Apps and Add-ons

Splunk Add-on for Microsoft Windows Active Directory: Why does my search "sourcetype="ActiveDirectory*" | head 5" not return any events?

wilhelmF
Path Finder

Hi,

we are having trouble receiving events from sourcetype="ActiveDirectory*". We did everything what was explained in the documentation:
- amend GPO Group Policies
- amend PowerShell Settings for local and remote singed script execution
- install Splunk Add-on for Microsoft Powershell
- install Splunk Add-on for Microsoft Windows Active Directory

we are receiving most data from active directory but sourcetype="ActiveDirectory*" is missing. Splunk Add-on for Microsoft Powershell seems to work properly. Group Policies are set right. The other checks on msad index went well. We can see events arriving in msad. (Please have a look at below screenshot from the guided setup in the Splunk App for Windows Infrastructure.) Any ideas?

alt text

0 Karma

wilhelmF
Path Finder

Thank you for your answer:

  1. I added the necessarcy Indexes to my role. Also I should be allowed to read all Indexes. I tried adding index=* before my search. Still no success.
  2. I don't use custom Indexes.
  3. I see some Events for sourcetype="WinEventLog:Directory-Service" but to few. My question here is: If the sourcetype for Active Directory should be sourcetype="WinEventLog:Directory-Service" why then the Windows Infrastructure App is searching for sourcetype="ActiveDirectory*"

Thanks

0 Karma

3no
Communicator

Can you check this points ?

1 - Are you sending your logs to the main index ? Check your role maybe you don't have access by default to this index.
You can also try adding index=* or index=[your_index_name] before you search.

2- If you are using a custom index make sure it's well defined on you indexers and that you can access it.

3 - Also I'm pretty sure that by default the sourcetype for Active Directory should be something like sourcetype="WinEventLog:Directory Service"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...