We are running the following versions of splunk and supporting apps for windows infrastructure:
Splunk Enterprise 6.2.1
Splunk App for Windows Infrastructure 1.1.1
Splunk Supporting Add-on for Active Directory 2.0.1
Windows Add-on 4.7.3
The User and Group dashboards on not populating any data. I am getting data into the windows index and the wineventlog index. Can someone tell me what index the User and Group dashboards are looking at?
Usually this is a problem with the search head not searching the right indexes.
AD user and group info gets put into the
msad index. Make sure that your search head searches that index and those dashboards should populate.
I added msad as a default index for my user and the User Overview dashboard is now populating. I still have a other dashboards that aren't working though. For example, when I go to the AD->Users->Administrator Audit Dashboard the drop downs don't populate....even if I push the time range picker out a week.
I have added the windows and the wineventlog indexes to my default search but that didn't make a difference, any ideas?
Sorry, after looking into this further I see that those indexes are already being searched by default as inherited from the winfra-admin role, which is inherited for all users who use this app. I actually found the problem to be that the new windows TA is putting all of it's data into a new index called wineventlog (which I saw when I updated it) but the new Windows Infrastructure App is still searching the winevents index. Not sure where the disconnect is between those two apps developers but changing the inputs in the windows TA fixed some of my problems with the infrastructure app.
I worked on this app quite a bit after my posts above and found that the correct index is now wineventlog, which changed from the previous version. When digging through the saved searches that the app uses, it references the index and sourcetypes correctly. There seems to be a bug with a few of the drop downs which I have seen in multiple environments across multiple companies and even after clean installs. I have worked with splunk on these dropdowns but they don't seem to have an answer at this point and I get the feeling that that original devs are no longer working on it.
I have a similar problem as well. I have a Splunk Indexer 6.2.5 running on Windows 2008 and a DC with UF running on Windows 2012 R2 with the SH being a deployment server. My main problem is not seeing data from the Active Directory Computer, Users and Groups and I have followed the Windows Infrastructure app manual to the book, and I have implemented several suggestions I read on several posts out here such as adding the winfra-admin, windows-admin roles to the "admin" user I login with and also adding the msad, wineventlog, and windows to the default index searched by the winfra-admin role, but the ActiveDirectory data is still not showing up on the Win Infrastructure and the Search App. Also, I do not see a source type of MSAD in the search app, and the list below shows all my search app is showing:
I did note however that the 'Powershell:ScriptExecutionErrorRecord' sourcetype returned two types of errors listed below:
1.ResolveIdentityToNTDSSettingsDN(T identityObj, ICollection1 propertiesToFetch, Boolean checkForDCs, ADObject& computerObj, ADObject& serverObj, ADObject& ntdsDSAObj) at Microsoft.ActiveDirectory.Management.Commands.ADDomainControllerFactory
1.GetExtendedObjectFromIdentity(T identityObj, String identityQueryPath, ICollection1 propertiesToFetch, Boolean showDeleted) at Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase
3.ADGetCmdletBaseProcessCSRoutine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase1.ProcessRecord()" InnerException="System.ServiceModel.FaultException: Invalid Enumeration Context specified in the request."
ParentIdentity="8b61175d-2253-4ded-a83e-cd573c864ba3" ErrorIndex="0" ErrorMessage="A local error has occurred" PositionMessage="At C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-2012R2\bin\powershell\siteinfo.ps1:7 char:8 + $DC = Get-ADDomainController -Identity $ServerName + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" CategoryInfo="NotSpecified: (WIN-MAIN-DC-VM:ADDomainController) [Get-ADDomainController], ADException" FullyQualifiedErrorId="ActiveDirectoryServer:8251,Microsoft.ActiveDirectory.Management.Commands.GetADDomainController" Exception="Microsoft.ActiveDirectory.Management.ADException: A local error has occurred ---> System.ServiceModel.FaultException
1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADDomainControllerFault]: The lightweight directory access protocol (LDAP) operation failed. Server stack trace: at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object ins, Object outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at : at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.TopologyManagement.GetADDomainController(GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADDomainController(GetADDomainControllerRequest request) --- End of inner exception stack trace --- at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException faultException) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADDomainController(GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADTopologyManagement.GetADDomainController(ADSessionHandle handle, GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.ADTopologyManagement.GetDomainController(String dcNtdsSettingsDN) at Microsoft.ActiveDirectory.Management.Commands.ADDomainControllerFactory1.GetExtendedObjectFromIdentity(T identityObj, String identityQueryPath, ICollection
1 propertiesToFetch, Boolean showDeleted) at Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase3.ADGetCmdletBaseProcessCSRoutine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase
1.ProcessRecord()" InnerException="System.ServiceModel.FaultException1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADDomainControllerFault]: The lightweight directory access protocol (LDAP) operation failed. (Fault Detail is equal to schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADDomainControllerFault).
PLEASE, any guidance in resolving this problem will be greatly appreciated. I have been working on this for over 3 weeks.
i am too beginning to explore the Splunk App for Windows Infrastructure, and found that there are caveat between indexes and sourcertype, preventing some dashboard in the app to not display the information. i guess either the devs bring a bugfix to the app, or we have to manually update the config files accordingly.
when dealing woth prebuilt app, i tend not to make too much custom change to it, because most of the time it breaks when we apply update to them...