All Apps and Add-ons

Splunk App for Windows Infrastructure: Splunk forwarder is sending TA_Windows data, but why not the TA_DomainControllerNT6?

m_varenard
Explorer

Hello,

I installed a splunk forwarder on my Windows 2008 R2 Active directory to send data to my Splunk server. (For Splunk App for Windows Infrastructure)
During the installation of the forwarder on AD, I checked "Install windows add-on".
After that I manually added the TA_DomainControllerNT6 add-ons by copping it under /etc/apps

Now my forwarder is sending data from TA_Windows normally (perfs, events, ...) but is not sending anything from Ta_DomainControllerNT6 (Ad health, etc..)
I created the GPO to allow Powershell execution, and i set everything to disabled=0 under Ta_DomainControllerNT6/inputs.conf...

Do you have any idea what my problem could be ?

Thanks in advance

0 Karma
1 Solution

ahall_splunk
Splunk Employee
Splunk Employee

So this isn't a problem with TA per-se. Rather it is a problem with your entire environment and copying the TA to the universal forwarder. My next suggestion would be to look at permissions. However, there is an easier method here.

1) Copy the TA to your search head in etc/deployment-apps
2) Set up a deployment server with forwarder management
3) Turn on the deployment client on your Universal Forwarder (you can create a deployment-client.conf in etc/system/local and restart)

Make sure "Everyone" or "NT AUTHORITY\SYSTEM" has permission to read the file. The splunkd.log will tell you that it is querying the deployment server for information if it is working.

View solution in original post

ahall_splunk
Splunk Employee
Splunk Employee

So this isn't a problem with TA per-se. Rather it is a problem with your entire environment and copying the TA to the universal forwarder. My next suggestion would be to look at permissions. However, there is an easier method here.

1) Copy the TA to your search head in etc/deployment-apps
2) Set up a deployment server with forwarder management
3) Turn on the deployment client on your Universal Forwarder (you can create a deployment-client.conf in etc/system/local and restart)

Make sure "Everyone" or "NT AUTHORITY\SYSTEM" has permission to read the file. The splunkd.log will tell you that it is querying the deployment server for information if it is working.

m_varenard
Explorer

Thank you for this idea ahall_splunk,

It was a good way to get past the problem. I now see data from AD coming. (Not much, but this is an other problem)

0 Karma

m_varenard
Explorer

Thank you for this fast answer, i checked all this points :

1) Yes i restarted the service splunk Forwarder after adding TA_DomainControlerNT6

2)A) I have data from perfmon and WinEventLog coming but there from the TA_Windows. If i set them to disabled =1 into the Ta_Windows/input.conf nothing is coming anymore.
Absolutly nothing is coming from TA_DomainControlerNT6 and TA_DnsNT6

2)B) I don't see anything related to netlogon.log

2)C)In my splunkd.conf I see that all the powershell are scheduled for AD and DNS. So I guess that my splunkforwarder detects my addons correctly

12-04-2014 09:28:37.759 +0100 INFO  ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\bin\runpowershell.cmd" dns-health.ps1
12-04-2014 09:28:37.759 +0100 INFO  ExecProcessor -     interval: 3600000 ms
12-04-2014 09:28:37.759 +0100 INFO  ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DNSServer-NT6\bin\runpowershell.cmd" dns-zoneinfo.ps1
12-04-2014 09:28:37.759 +0100 INFO  ExecProcessor -     interval: 3600000 ms
12-04-2014 09:28:37.759 +0100 INFO  ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-NT6\bin\runpowershell.cmd" ad-health.ps1
12-04-2014 09:28:37.759 +0100 INFO  ExecProcessor -     interval: 300000 ms
12-04-2014 09:28:37.759 +0100 INFO  ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-NT6\bin\runpowershell.cmd" ad-repl-stat.ps1
12-04-2014 09:28:37.759 +0100 INFO  ExecProcessor -     interval: 300000 ms
12-04-2014 09:28:37.759 +0100 INFO  ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-NT6\bin\runpowershell.cmd" siteinfo.ps1
12-04-2014 09:28:37.759 +0100 INFO  ExecProcessor -     interval: 3600000 ms

I let the thing run for 20 minutes and no error are coming in splunkd.log, so I guess the powershell are running without error.

3) The documentation is stating the only 2.0 version of PS is required. When i'm running the PS1 script myself to check that my version is good, it is running without problem.
I ran the script manualy with psexec -i -s and it is working good.

I discovered something that could be a clue . When i'm cheking "install windows addon" on splunkforwarder, the TA_Windows is automaticaly inside to etc/app and it is working good. But when I don't check it , and install the add-on manualy by coppying it, it is not working.
So it seems that the software is doing something i'm not.. and that is maybe why my manulay installed TA_DomainControler and TA_DNS won't work.
I don't understand what i could be missing. I'm editing the local/input.conf, and coppying the add-on as stated in the doc.

ahall_splunk
Splunk Employee
Splunk Employee

There are several things that can be going wrong here. Your best bet is to look in the splunkd.log (you can use your Splunk instance for this - index=_internal source=*splunkd.log) for the culprit.

Things to ask:
1) Did you restart the UF after copying the TA into the etc/apps area?
2) What data is coming in?
2.a) Is the data for the perfmon and WinEventLog stanzas coming in?
2.b) Is the data for the netlogon.log coming in?
2.c) Which PowerShell commands are actually executing and which ones are failing?
3) Have you installed WinRM 3.0 and PowerShell v3?

If it's just the PowerShell stuff that is failing (which would be my initial thought), then downloading psexec and running psexec -s to get a system shell would be a start. You can then run the powershell scripts as the user that is running the universal forwarder and check for errors. Check out this blog post: http://blogs.splunk.com/2013/05/29/running-as-a-windows-service/

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...