Hi All,
I have installed The Splunk App for Windows Infrastructure in Splunk 6.3.2 (build aaff59bb082c), and also configured all add-on's in Windows 2008 R2. I am able to get the data for Splunk-TA-Windows, but no logs are being collected by the Windows Infrastructure app. When I search manually index=main
, I am able to see logs related to Active Directory, but have configured AD indexes as ad-perfmon, msad, winevents. (copied from default/ to local/) on both indexer and the Universal Forwarder as well. However, I'm still not able to get the AD related data as the topology is blank.
FYI...
get-executionpolicy > RemoteSigned
In Win2008R2 below are the addon with configured
splunk_app_windows_infrastructure >TA-DNSServer-NT6/local/inputs.conf
splunk_app_windows_infrastructure >TA-DomainController-NT6/local/inputs.conf
Splunk_TA_windows> local/inputs.conf
SA-ModularInput-PowerShell
on receiving side
SA-ldapsearch > configured and connection is successful
splunk_app_windows_infrastructure > configure local/indexes.conf, eventtype.conf,
Splunk_TA_windows > configure local/indexes.conf, eventtype.conf
I had similar problem with inputs.conf that did not specify an index or sourcetype with monitor stanza. Example someone had entered monitor for SMTP logging of SMTP windows server but did not specify index to send data to.
Example command: ./splunk add monitor C:\windows\system32\logfiles\SMTPSVC1
Search your inputs.conf for items without sourcetypes or specific index naming
[monitor://C:\Windows\System32\LogFiles\SMTPSVC1]
sourcetype = mssmtp
index = mssmtp
,I had similar problem with inputs.conf that did not specify an index with monitor stanza. Example someone had entered monitor for SMTP logging of SMTP windows server but did not specify index to send data to.
Example command: ./splunk add monitor C:\windows\system32\logfiles\SMTPSVC1
Search your inputs.conf for items without sourcetypes or specific index naming
[monitor://C:\Windows\System32\LogFiles\SMTPSVC1]
sourcetype = mssmtp
index = mssmtp
Did anyone figure out what was causing this issue? I am experiencing the same thing. Thanks!
Im sorry, but there is not a single question here. Can you please ask a question?
my question is why AD logs are going to 'main' index? even though not mentioned in any configuration
From one of your Windows hosts (that you have deployed the Windows TA to), could you please execute and post the output of splunk cmd btool inputs list --debug
?