Not sure how this slipped past us when we installed the Splunk App for Windows Infrastructure, but we've got a sourcetype called ActiveDirectory
that is going to our main index that I need to move elsewhere. I believe it's in main due to default settings, but I'm not finding the stanza where the sourcetype ActiveDirectory
is being set or what's driving the collection of this data so it's unclear where I should add the index stanza.
We currently have:
Index windows
that contains sourcetype DhcpSrvLog that comes from a custom DHCP app that copies stanzas from Splunk_TA_windows
Index wineventlog
that contains sourcetypes (coming from Splunk_TA_windows/default/inputs.conf):
WinEventLog:Application
WinEventLog:Security
WinEventLog:System
(and coming from TA-DomainController-201R2/default/inputs.conf)
WinEventLog:DFS-Replication
WinEventLog:Directory-Service
Then also the index msad
that contains the sourcetypes also coming from TA-DomainController-201R2/default/inputs.conf:
MSAD:NT6:Health
MSAD:NT6:Netlogon
MSAD:NT6:SiteInfo
Powershell:ScriptExecutionErrorRecord
Powershell:ScriptExecutionSummary
We also have perfmon
index, but we've disabled all perfmon functions at the request of our DC admins due to performance hits.
Our PDC does also has the app TA-DomainController-2012R2 that contains the local/inputs.conf stanza:
[admon://ADMonitoring]
targetDC = <hostname>
baseline=false
disabled = false
I'd tend to think this is where the index for the ActiveDirectory sourcetype would be set, but I'm not finding any documentation to support that idea.
I need to know
1) If it would be best practice to include this sourcetype in one of the existing indexes or if keeping it in its own index would be preferred.
2) Is the is the admon://ADMonitoring
stanza the correct place to designate the index for this data, or am I confused about what that stanza does?
Thank you!
Per Splunk TA for Active Directory:
https://splunkbase.splunk.com/app/3207/
indexes.conf has msad
and inputs for [admon] are as follows:
[admon://NearestDC]
monitorSubtree = 1
interval=3600
disabled=false
index=msad
cheers
Hi. Did you find an answer for what to do with your ActiveDirectory logs? I'm facing the same issue here.
the [admon] stanza comes with no index specification. you can place it in any index you would like by indicating one. I have seen many organizations point it to index = msad
hope it helps
Thank you for you answer. I was actually wondering if there's a TA for the ActiveDirectory logs that can map them to CIM. If that's even possible at all?
there is:
https://splunkbase.splunk.com/app/3207/
inputs.conf has admon as follow:
[admon://NearestDC]
monitorSubtree = 1
interval=3600
disabled=false
index=msad
Maybe I'm missing something here, but I can't see that this app has a tags.conf, which I understand is needed to map logs to CIM. My events looks like the samples presented by Splunk in the documentation.
if it's not being set within the inputs.conf, then check the transforms.conf / props.conf and see if it's using a REGEX or something to define / transform the data before indexing. NIX app does that with syslog data.
Thanks for the suggestion. I've gone through all the conf files, both default and local, for all apps that are installed on the DC the ActiveDirectory sourcetype is coming from... no where is there anything indicating sourcetype=ActiveDirectory.
As stated originally, the closest thing I can find is the admon://ADMonitoring stanza
am also facing similar issue, so far didn't find any solution for this. Could any one fixed please help me on the same.