Hi,
we are having trouble receiving events from sourcetype="ActiveDirectory*"
. We did everything what was explained in the documentation:
- amend GPO Group Policies
- amend PowerShell Settings for local and remote singed script execution
- install Splunk Add-on for Microsoft Powershell
- install Splunk Add-on for Microsoft Windows Active Directory
we are receiving most data from active directory but sourcetype="ActiveDirectory*"
is missing. Splunk Add-on for Microsoft Powershell seems to work properly. Group Policies are set right. The other checks on msad index went well. We can see events arriving in msad. (Please have a look at below screenshot from the guided setup in the Splunk App for Windows Infrastructure.) Any ideas?
Thank you for your answer:
sourcetype="WinEventLog:Directory-Service"
but to few. My question here is: If the sourcetype for Active Directory should be sourcetype="WinEventLog:Directory-Service"
why then the Windows Infrastructure App is searching for sourcetype="ActiveDirectory*"
Thanks
Can you check this points ?
1 - Are you sending your logs to the main
index ? Check your role maybe you don't have access by default to this index.
You can also try adding index=* or index=[your_index_name] before you search.
2- If you are using a custom index make sure it's well defined on you indexers and that you can access it.
3 - Also I'm pretty sure that by default the sourcetype for Active Directory should be something like sourcetype="WinEventLog:Directory Service"