So I am trying to get the Windows Infrastructure all configured. For the most part I think I have it configured right but something are not working.
If I go into Active Directory Topology report - I can see the domains - looks like a lot of the dashboards are working... I want to make sure that I can watch Group Policy Changes... I have auditing turned on at the domain controller and have verified that events are being logged - viewed them in the security log.
When I go to Splunk > Windows Infra App > Active Directory > Group Policy > Group Policy Changes
The account domain field, Administrator, and GPO Name on the right hand side states "Search produced no results"
Change to last 7 days to make sure - nothing....
Is this pulled from the event log entries that are created with auditing turned on, or via LDAP quesries of some sort??
Any help to get this working would be appreciated.
I've been having the same issue since installing Splunk, but I was able to resolve it this morning by enabling Audit file system global object access in the Default Domain Controllers Policy.
This is on 2012R2 server running at 2008R2 functional level.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Global Object Access Auditing > File System
Set the Principal to Everyone
Set the Type to Success
Set Permissions to
Create Files / write data
Create folders / append data
Write extended attributes
Delete subfolders and files
Hope that helps.
Honestly I gave up trying to figure it out. It hasn't worked since we installed. Yes we are logging those events. Followed the instructions for installation etc. You can manually search for the events and they come up sone - just not in this addon.
Make sure your GPO is auditing those events. http://docs.splunk.com/Documentation/MSApp/1.2.0/MSInfra/ConfigureActiveDirectoryauditpolicy . Specifically make sure that you are auditing policy change. Once you do that, any changes to GPO will be written to the Windows Security Event Log. Those are logged as event code 4662.
You can search your Splunk instance for sourcetype="WinEventLog:Security" EventCode=4662 . To see if any events are there. Once they show up, the dashboard should start populating.
Yes I submitted a ticket. I was told to run a diag on my splunk server which ended up hanging and never completing.
I emailed the rep and informed him/her of this and haven't received any word back. I've loved Splunk up to the point of having to actually open tickets with them. I find that it's mostly a 1 day response time on any email I submit.
I will update this post with any findings.