All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk App for Windows Infrastructure: Why is there no data under Group Policy (GPO) Changes?

dolejh76
Communicator
‎12-23-2014 02:38 PM

So I am trying to get the Windows Infrastructure all configured. For the most part I think I have it configured right but something are not working.

If I go into Active Directory Topology report - I can see the domains - looks like a lot of the dashboards are working... I want to make sure that I can watch Group Policy Changes... I have auditing turned on at the domain controller and have verified that events are being logged - viewed them in the security log.

When I go to Splunk > Windows Infra App > Active Directory > Group Policy > Group Policy Changes

The account domain field, Administrator, and GPO Name on the right hand side states "Search produced no results"

Change to last 7 days to make sure - nothing....

Is this pulled from the event log entries that are created with auditing turned on, or via LDAP quesries of some sort??

Any help to get this working would be appreciated.

Thanks
John

Reply

mstolecki
Engager
‎11-15-2017 08:53 AM

I've been having the same issue since installing Splunk, but I was able to resolve it this morning by enabling Audit file system global object access in the Default Domain Controllers Policy.

This is on 2012R2 server running at 2008R2 functional level.

Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Global Object Access Auditing > File System
Set the Principal to Everyone
Set the Type to Success
Set Permissions to
Create Files / write data
Create folders / append data
Write Attributes
Write extended attributes
Delete subfolders and files
Delete
Change Permissions
Take Ownership

Hope that helps.

0 Karma
Reply

shan_santosh
Explorer
‎01-04-2017 01:54 AM

I am also having similar problem with Event Monitoring Dashboard. Log Name drop down is showing no results

0 Karma
Reply

MERBAG
Explorer
‎08-26-2016 12:09 AM

do you have any news regarding this topic? We are facing exactly the same issue

0 Karma
Reply

dolejh76
Communicator
‎08-26-2016 06:34 AM

PS - Even called splunk support on this as we have a support contract. They have been unable to help resolve.

0 Karma
Reply

dolejh76
Communicator
‎08-26-2016 06:31 AM

Honestly I gave up trying to figure it out. It hasn't worked since we installed. Yes we are logging those events. Followed the instructions for installation etc. You can manually search for the events and they come up sone - just not in this addon.

0 Karma
Reply

adamschmitz
Path Finder
‎02-04-2016 01:50 PM

I'm in the same boat. It's the only piece of the infrastructure app that I don't have working.

0 Karma
Reply

aivarson_splunk
Splunk Employee
Splunk Employee
‎01-20-2016 02:44 PM

Make sure your GPO is auditing those events. http://docs.splunk.com/Documentation/MSApp/1.2.0/MSInfra/ConfigureActiveDirectoryauditpolicy . Specifically make sure that you are auditing policy change. Once you do that, any changes to GPO will be written to the Windows Security Event Log. Those are logged as event code 4662.

You can search your Splunk instance for sourcetype="WinEventLog:Security" EventCode=4662 . To see if any events are there. Once they show up, the dashboard should start populating.

0 Karma
Reply

adamschmitz
Path Finder
‎02-04-2016 01:53 PM

I've done the above and it still doesnt populate the dashboard as mentioned above.

0 Karma
Reply

BenTan
Path Finder
‎02-10-2016 12:57 AM

Have you send a ticket to Splunk yet? Did they respond you with any solutions? I am facing the same issue as well.

0 Karma
Reply

adamschmitz
Path Finder
‎02-10-2016 06:15 AM

Yes I submitted a ticket. I was told to run a diag on my splunk server which ended up hanging and never completing.

I emailed the rep and informed him/her of this and haven't received any word back. I've loved Splunk up to the point of having to actually open tickets with them. I find that it's mostly a 1 day response time on any email I submit.

I will update this post with any findings.

0 Karma
Reply

BenTan
Path Finder
‎02-10-2016 06:48 PM

Thanks a lot! Hopefully they get back to you soon! It seems this particular dashboard is having issues since few years back and somehow it was never solved.

0 Karma
Reply

aivarson_splunk
Splunk Employee
Splunk Employee
‎02-04-2016 01:58 PM

Are you seeing Events 4662 in your EventLog if you go direct to the Windows Event Log?

0 Karma
Reply

adamschmitz
Path Finder
‎02-04-2016 02:15 PM

Yes I am. Verified at few instances of that entry in the event log.

0 Karma
Reply

aivarson_splunk
Splunk Employee
Splunk Employee
‎02-04-2016 02:29 PM

I'd recommend starting a ticket with Splunk. This is a supported app.

0 Karma
Reply

Tonypic55
New Member
‎12-10-2015 06:13 AM

I'm having the same issue. Any help would be appreciated.

0 Karma
Reply

dolejh76
Communicator
‎12-10-2015 09:25 AM

Have not gotten this working yet - have not had time. I need to call back into support at some point. I will update it I get it working.

Reply

trevorr2004
Engager
‎06-21-2016 11:09 AM

Have you had any update from them? I've had issues with this and some of the user reports. For it being a Splunk supported app, its kind of clunky.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top