All Apps and Add-ons

Splunk Add-on for Microsoft Windows Active Directory: Why does my search "sourcetype="ActiveDirectory*" | head 5" not return any events?

Path Finder

Hi,

we are having trouble receiving events from sourcetype="ActiveDirectory*". We did everything what was explained in the documentation:
- amend GPO Group Policies
- amend PowerShell Settings for local and remote singed script execution
- install Splunk Add-on for Microsoft Powershell
- install Splunk Add-on for Microsoft Windows Active Directory

we are receiving most data from active directory but sourcetype="ActiveDirectory*" is missing. Splunk Add-on for Microsoft Powershell seems to work properly. Group Policies are set right. The other checks on msad index went well. We can see events arriving in msad. (Please have a look at below screenshot from the guided setup in the Splunk App for Windows Infrastructure.) Any ideas?

alt text

0 Karma

Path Finder

Thank you for your answer:

  1. I added the necessarcy Indexes to my role. Also I should be allowed to read all Indexes. I tried adding index=* before my search. Still no success.
  2. I don't use custom Indexes.
  3. I see some Events for sourcetype="WinEventLog:Directory-Service" but to few. My question here is: If the sourcetype for Active Directory should be sourcetype="WinEventLog:Directory-Service" why then the Windows Infrastructure App is searching for sourcetype="ActiveDirectory*"

Thanks

0 Karma

Communicator

Can you check this points ?

1 - Are you sending your logs to the main index ? Check your role maybe you don't have access by default to this index.
You can also try adding index=* or index=[yourindexname] before you search.

2- If you are using a custom index make sure it's well defined on you indexers and that you can access it.

3 - Also I'm pretty sure that by default the sourcetype for Active Directory should be something like sourcetype="WinEventLog:Directory Service"

0 Karma