we are having trouble receiving events from
sourcetype="ActiveDirectory*". We did everything what was explained in the documentation:
- amend GPO Group Policies
- amend PowerShell Settings for local and remote singed script execution
- install Splunk Add-on for Microsoft Powershell
- install Splunk Add-on for Microsoft Windows Active Directory
we are receiving most data from active directory but
sourcetype="ActiveDirectory*" is missing. Splunk Add-on for Microsoft Powershell seems to work properly. Group Policies are set right. The other checks on msad index went well. We can see events arriving in msad. (Please have a look at below screenshot from the guided setup in the Splunk App for Windows Infrastructure.) Any ideas?
Thank you for your answer:
sourcetype="WinEventLog:Directory-Service"but to few. My question here is: If the sourcetype for Active Directory should be
sourcetype="WinEventLog:Directory-Service"why then the Windows Infrastructure App is searching for
Can you check this points ?
1 - Are you sending your logs to the
main index ? Check your role maybe you don't have access by default to this index.
You can also try adding index=* or index=[yourindexname] before you search.
2- If you are using a custom index make sure it's well defined on you indexers and that you can access it.
3 - Also I'm pretty sure that by default the sourcetype for Active Directory should be something like