Not sure how this slipped past us when we installed the Splunk App for Windows Infrastructure, but we've got a sourcetype called
ActiveDirectory that is going to our main index that I need to move elsewhere. I believe it's in main due to default settings, but I'm not finding the stanza where the sourcetype
ActiveDirectory is being set or what's driving the collection of this data so it's unclear where I should add the index stanza.
We currently have:
windows that contains sourcetype DhcpSrvLog that comes from a custom DHCP app that copies stanzas from Splunk_TA_windows
wineventlog that contains sourcetypes (coming from Splunk_TA_windows/default/inputs.conf):
(and coming from TA-DomainController-201R2/default/inputs.conf)
Then also the index
msad that contains the sourcetypes also coming from TA-DomainController-201R2/default/inputs.conf:
We also have
perfmon index, but we've disabled all perfmon functions at the request of our DC admins due to performance hits.
Our PDC does also has the app TA-DomainController-2012R2 that contains the local/inputs.conf stanza:
[admon://ADMonitoring] targetDC = <hostname> baseline=false disabled = false
I'd tend to think this is where the index for the ActiveDirectory sourcetype would be set, but I'm not finding any documentation to support that idea.
I need to know
1) If it would be best practice to include this sourcetype in one of the existing indexes or if keeping it in its own index would be preferred.
2) Is the is the
admon://ADMonitoring stanza the correct place to designate the index for this data, or am I confused about what that stanza does?
Per Splunk TA for Active Directory:
indexes.conf has msad
and inputs for [admon] are as follows:
monitorSubtree = 1
the [admon] stanza comes with no index specification. you can place it in any index you would like by indicating one. I have seen many organizations point it to index = msad
hope it helps
Maybe I'm missing something here, but I can't see that this app has a tags.conf, which I understand is needed to map logs to CIM. My events looks like the samples presented by Splunk in the documentation.
if it's not being set within the inputs.conf, then check the transforms.conf / props.conf and see if it's using a REGEX or something to define / transform the data before indexing. NIX app does that with syslog data.
Thanks for the suggestion. I've gone through all the conf files, both default and local, for all apps that are installed on the DC the ActiveDirectory sourcetype is coming from... no where is there anything indicating sourcetype=ActiveDirectory.
As stated originally, the closest thing I can find is the admon://ADMonitoring stanza