I've recently upgraded to Splunk App for Windows Infrastructure 1.1.1 from version 1.0.4. Previously I had no issues with Active Directory data detection or Splunk App for Active Directory(SA-ldapsearch) version 2.0.1 and can still successfully search for queries like '|ldapsearch domain=DOMAIN search="(cn=Administrator)"'). Since the upgrade, when I run through the first-time setup wizard I get the error, "ERROR: Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours" when checking for data being provided by the environment.
I'm then provided with a link named, "Splunk Add-on for Microsoft Windows Active Directory for Splunk Universal Forwarder" however the link takes me to setup instruction for the Windows Infrastructure App. Since I'm still able to perform ldapsearch queries from the search app I'd assume the Splunk App for Active Directory is working correctly.
Also, when viewing the upgrade instruction(http://docs.splunk.com/Documentation/MSApp/1.1.1/MSInfra/UpgradetheSplunkAppforWindowsInfrastructure) you're instructed to download 'Splunk Supporting Add-on for Active Directory version 2.0.2 or later' however version 2.0.1 is the latest version I can currently find for download.
I'd appreciate any insight as I've hit a wall and cannot proceed with the upgraded version of the Windows Infrastructure app.
Have you made sure that the user that you log into Splunk Enterprise with has the 'winfra-admin' role? That role lets you search the proper default indexes that come with the app.
The Splunk Supporting Add-on for Active Directory is currently at version 2.0.1. The reference to 2.0.2 has been corrected. Apologies for any confusion.
Yes, sorry. I should've stated the Prerequisites checks are all successful(green check marks). Also, I'm seeing no errors on the forwarders regarding the PS scripts used to collect AD info by the TA-DomainController-NT6 add on. Again, this application wias working correctly with the previous version Splunk App Windows Inf 1.0.4.
Right, it's the data check that is failing.
Events with source type MSAD go into the 'msad' index by default.
Make sure that the 'winfra-admin' role searches the 'msad', 'perfmon', and 'winevents' roles by default.
In the Splunk system bar, select "Settings" > "Access controls." From there , click "Roles", then click "winfra-admin." Once you get to that page, scroll down to "Indexes searched by default." The three indexes I mentioned above should be in the "Selected Indexes" pane.
I am having similar issues. I am not even monitoring Active Directory DCs but have installed the Splunk Supporting Add-on for Active Directory and setup a service account for LDAP functionality. I see data from the MSAD index but not a sourcetype. Data from the MSAD index has a sourcetype of "ActiveDirectory".
And yes, I have met all the prerequisites however setup is giving me "ERROR: Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours".
The Splunk Supporting Add-on for Active Directory doesn't actually collect AD events. It performs LDAP queries against your AD DCs and returns events based on those queries. Those events have no source type.
But it seems like you might have enabled the Active Directory input when you installed the universal forwarder. This is because "ActiveDirectory" is the default source type that gets assigned to default admon inputs. It's important not to enable any inputs when you install the UF because the TAs that come with the Windows Infrastructure app will take care of collecting all that information with the right source type.
At this point it's best to just delete that data and then install the correct Active Directory add-on for your version of Windows Server into the universal forwarder that is on the domain controller. That way the data will be indexed correctly, and the app will see it.
How do I go about installing that Active Directory add-on for my Windows Servers (Active Directory Domain Controllers) into the Universal Forwarder that is on the Domain Controllers?
I'm having the same issue as discussed in the original questions above, but am not sure how to make sure that the add-on's get into the UF's on my DC's.
(Working from Linux Search Head/Indexer server, with primarily Windows client systems that have the UF's installed on them)
I don't understand this question - deploy the addon using a server class. I created a new server class called domain controllers and add that as a deployed app to just those computers.
I don't understand your question either (though I do kind of understand it as what you telling me to do is what I need the help doing).
I understand the need to deploy the add-on, but don't understand how to get the add-on added for deployment via the Server Class.
I did, I think, create a Server Class for my servers and see them in it, but don't understand how I get add-on's into whatever then makes them ready for deployment via Server Class. (If that makes sense).
Do I simply copy some files from some location (that I'm not really sure of), or do I drag and drop something somewhere (Windows style, though I'm working with a RHEL server and Windows Clients) in order to make the necessary add-ons available.
The description of the process is fine, the details of the process are where I'm lost at (in that last mile or so of getting something done).