All Apps and Add-ons

Splunk App Windows Infrastructure upgrade - No "sourcetype="MSAD*" found

Explorer

I've recently upgraded to Splunk App for Windows Infrastructure 1.1.1 from version 1.0.4. Previously I had no issues with Active Directory data detection or Splunk App for Active Directory(SA-ldapsearch) version 2.0.1 and can still successfully search for queries like '|ldapsearch domain=DOMAIN search="(cn=Administrator)"'). Since the upgrade, when I run through the first-time setup wizard I get the error, "ERROR: Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours" when checking for data being provided by the environment.

I'm then provided with a link named, "Splunk Add-on for Microsoft Windows Active Directory for Splunk Universal Forwarder" however the link takes me to setup instruction for the Windows Infrastructure App. Since I'm still able to perform ldapsearch queries from the search app I'd assume the Splunk App for Active Directory is working correctly.

Also, when viewing the upgrade instruction(http://docs.splunk.com/Documentation/MSApp/1.1.1/MSInfra/UpgradetheSplunkAppforWindowsInfrastructure) you're instructed to download 'Splunk Supporting Add-on for Active Directory version 2.0.2 or later' however version 2.0.1 is the latest version I can currently find for download.

I'd appreciate any insight as I've hit a wall and cannot proceed with the upgraded version of the Windows Infrastructure app.

1 Solution

Splunk Employee
Splunk Employee

Hi,

Have you made sure that the user that you log into Splunk Enterprise with has the 'winfra-admin' role? That role lets you search the proper default indexes that come with the app.

The Splunk Supporting Add-on for Active Directory is currently at version 2.0.1. The reference to 2.0.2 has been corrected. Apologies for any confusion.

View solution in original post

Splunk Employee
Splunk Employee

See my response above. If you run 2012R2 you need to also deploy the SA-ModularInput-Powershell as well as TA-DomainController-2012R2.

0 Karma

Communicator

That worked. I copied the TA-DomainController-NT6 app to the SH and I was able to complete the setup.

Thanks!

Path Finder

I have the same issue - what is the SH stand for. I am bit of a newbie. Thanks

0 Karma

Path Finder

I am guessing SH is Splunk Search Head server. I copied the TA-DomainController-NT6 but still get the same error. I have two DCs with the UF on them - I am only seeing some data forwarded from he First DC like password changes, unlocks and Administrator logons. The Splunk server is now reporting Administrator Logons, so I assume it is forwarding those. Any other ideas how to seed the MSAD search

0 Karma

Communicator

Which directory did you copy the TA-DomainController-NT6 folder to? Make sure it's copied to the etc\apps directory only on the Search Head. You will also have to install the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch) and configure an account Spunk can use to query AD. Lastly, you will have to install the add-on on your DC universal forwarders. You can manually copy the folders to them, or use a deployment server - the preferred method.

0 Karma

Path Finder

Hi all, thanks for the direction, I'm having the same issue but making progress. So now my DCs are sending to both index=msad and index=activedirectory but only the eventsource=msad is NOT working. My DCs are 2012R2 is this a powershell issue? I have the app installed and deployed on the DC but the eventsource=msad is still not coming in???

TIA!

0 Karma

Splunk Employee
Splunk Employee

If you run Windows Server 2012R2, then you need to deploy the TA-DomainController2012R2 and the SA-ModularInput-Powershell add-ons to those DCs.

0 Karma

Communicator

Yes, in the Windows Infra app, there is a separate TA for 2012 servers.
Go to http://docs.splunk.com/Documentation/MSApp/latest/MSInfra/DownloadandconfiguretheSplunkAdd-onsforAct... for more information.

0 Karma

Path Finder

I had the powershell add-on installed, but i needed my windows admin to tweak the powershell read/write. It's no working perfectly. Thank you!

0 Karma

Communicator

I do not need to monitor AD DCs in my environment and only have member servers with the UF and TA installed and configured. The admon input was enabled on my SH which I have disabled. How do I get Splunk App Windows Inf to find data with the MSAD sourcetype to complete the guided setup?

0 Karma

Splunk Employee
Splunk Employee

Ah! Right. Yes, unfortunately that is a bug, and we'll be addressing it in a point release.

In the meantime, to get through setup, go ahead and deploy the Active Directory TA onto your SH to generate some dummy data. Once you have enough to get through setup (you only need about 5-10 events or so, turn it off.

Apologies for the inconvenience.

Path Finder

I did this step in an attempt to get msad data to seed. Actual issue was msad where not in default search indexes. Now my SH shows as a DC in my status list. I'd like to undo this work around.

1) How do I delete the data and the SH from the Active Directory --> Domain Controllers --> DC Status list ?

2) To turn it off: Do I set the inputs.conf to disable = 1 in the SH in the Program Files\Splunk\etc\apps\TA-DomainController-NT6\local
3) Do I need to restart service on the SH

Thanks

0 Karma

Communicator

I am having similar issues. I am not even monitoring Active Directory DCs but have installed the Splunk Supporting Add-on for Active Directory and setup a service account for LDAP functionality. I see data from the MSAD index but not a sourcetype. Data from the MSAD index has a sourcetype of "ActiveDirectory".

And yes, I have met all the prerequisites however setup is giving me "ERROR: Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours".

0 Karma

Splunk Employee
Splunk Employee

The Splunk Supporting Add-on for Active Directory doesn't actually collect AD events. It performs LDAP queries against your AD DCs and returns events based on those queries. Those events have no source type.

But it seems like you might have enabled the Active Directory input when you installed the universal forwarder. This is because "ActiveDirectory" is the default source type that gets assigned to default admon inputs. It's important not to enable any inputs when you install the UF because the TAs that come with the Windows Infrastructure app will take care of collecting all that information with the right source type.

At this point it's best to just delete that data and then install the correct Active Directory add-on for your version of Windows Server into the universal forwarder that is on the domain controller. That way the data will be indexed correctly, and the app will see it.

0 Karma

New Member

How do I go about installing that Active Directory add-on for my Windows Servers (Active Directory Domain Controllers) into the Universal Forwarder that is on the Domain Controllers?

I'm having the same issue as discussed in the original questions above, but am not sure how to make sure that the add-on's get into the UF's on my DC's.

(Working from Linux Search Head/Indexer server, with primarily Windows client systems that have the UF's installed on them)

0 Karma

Communicator

I don't understand this question - deploy the addon using a server class. I created a new server class called domain controllers and add that as a deployed app to just those computers.

0 Karma

New Member

I don't understand your question either (though I do kind of understand it as what you telling me to do is what I need the help doing).

I understand the need to deploy the add-on, but don't understand how to get the add-on added for deployment via the Server Class.

I did, I think, create a Server Class for my servers and see them in it, but don't understand how I get add-on's into whatever then makes them ready for deployment via Server Class. (If that makes sense).

Do I simply copy some files from some location (that I'm not really sure of), or do I drag and drop something somewhere (Windows style, though I'm working with a RHEL server and Windows Clients) in order to make the necessary add-ons available.

The description of the process is fine, the details of the process are where I'm lost at (in that last mile or so of getting something done).

0 Karma

Communicator

Check here

http://docs.splunk.com/Documentation/Splunk/6.2.0/Updating/Updateconfigurations

Hate it when people push me off to docs but there is a lot that can be missed setting up deployment apps. I don't want to forget something. This should point you in the right direction. The instructions for the app should also have information on how to deploy this.

Long story short you have to copy the folder you want to deploy to the /opt/splunk/etc/deployment-apps folder and then the server class that you set up will deploy that app to the server you are monitoring. This is usually in the instructions of the apps.

0 Karma

New Member

Thanks, I think the link you posted should help get me where I need to be (and your further description of the process was also helpful).

0 Karma

Communicator

Good luck!

0 Karma

New Member

Back with one more related issue...

I did click on the documentation related to managing apps for server classes, here:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Updating/Useforwardermanagement

When I get to the Add Apps part is where things are broken for me. I see the Add Apps button there, but it is grayed out and not clickable for me. There are no Apps listed below.

What I see is actually this:

....
You haven't added any apps
[ _ Add Apps ]

Clients edit
...

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!