All Apps and Add-ons

Splunk App for Windows Infrastructure: Why is there no data under Group Policy (GPO) Changes?

dolejh76
Communicator

So I am trying to get the Windows Infrastructure all configured. For the most part I think I have it configured right but something are not working.

If I go into Active Directory Topology report - I can see the domains - looks like a lot of the dashboards are working... I want to make sure that I can watch Group Policy Changes... I have auditing turned on at the domain controller and have verified that events are being logged - viewed them in the security log.

When I go to Splunk > Windows Infra App > Active Directory > Group Policy > Group Policy Changes

The account domain field, Administrator, and GPO Name on the right hand side states "Search produced no results"

Change to last 7 days to make sure - nothing....

Is this pulled from the event log entries that are created with auditing turned on, or via LDAP quesries of some sort??

Any help to get this working would be appreciated.

Thanks
John

mstolecki
Engager

I've been having the same issue since installing Splunk, but I was able to resolve it this morning by enabling Audit file system global object access in the Default Domain Controllers Policy.

This is on 2012R2 server running at 2008R2 functional level.

Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Global Object Access Auditing > File System
Set the Principal to Everyone
Set the Type to Success
Set Permissions to
Create Files / write data
Create folders / append data
Write Attributes
Write extended attributes
Delete subfolders and files
Delete
Change Permissions
Take Ownership

Hope that helps.

0 Karma

shan_santosh
Explorer

I am also having similar problem with Event Monitoring Dashboard. Log Name drop down is showing no results

0 Karma

MERBAG
Explorer

do you have any news regarding this topic? We are facing exactly the same issue

0 Karma

dolejh76
Communicator

PS - Even called splunk support on this as we have a support contract. They have been unable to help resolve.

0 Karma

dolejh76
Communicator

Honestly I gave up trying to figure it out. It hasn't worked since we installed. Yes we are logging those events. Followed the instructions for installation etc. You can manually search for the events and they come up sone - just not in this addon.

0 Karma

adamschmitz
Path Finder

I'm in the same boat. It's the only piece of the infrastructure app that I don't have working.

0 Karma

aivarson_splunk
Splunk Employee
Splunk Employee

Make sure your GPO is auditing those events. http://docs.splunk.com/Documentation/MSApp/1.2.0/MSInfra/ConfigureActiveDirectoryauditpolicy . Specifically make sure that you are auditing policy change. Once you do that, any changes to GPO will be written to the Windows Security Event Log. Those are logged as event code 4662.

You can search your Splunk instance for sourcetype="WinEventLog:Security" EventCode=4662 . To see if any events are there. Once they show up, the dashboard should start populating.

0 Karma

adamschmitz
Path Finder

I've done the above and it still doesnt populate the dashboard as mentioned above.

0 Karma

BenTan
Path Finder

Have you send a ticket to Splunk yet? Did they respond you with any solutions? I am facing the same issue as well.

0 Karma

adamschmitz
Path Finder

Yes I submitted a ticket. I was told to run a diag on my splunk server which ended up hanging and never completing.

I emailed the rep and informed him/her of this and haven't received any word back. I've loved Splunk up to the point of having to actually open tickets with them. I find that it's mostly a 1 day response time on any email I submit.

I will update this post with any findings.

0 Karma

BenTan
Path Finder

Thanks a lot! Hopefully they get back to you soon! It seems this particular dashboard is having issues since few years back and somehow it was never solved.

0 Karma

aivarson_splunk
Splunk Employee
Splunk Employee

Are you seeing Events 4662 in your EventLog if you go direct to the Windows Event Log?

0 Karma

adamschmitz
Path Finder

Yes I am. Verified at few instances of that entry in the event log.

0 Karma

aivarson_splunk
Splunk Employee
Splunk Employee

I'd recommend starting a ticket with Splunk. This is a supported app.

0 Karma

Tonypic55
New Member

I'm having the same issue. Any help would be appreciated.

0 Karma

dolejh76
Communicator

Have not gotten this working yet - have not had time. I need to call back into support at some point. I will update it I get it working.

trevorr2004
Engager

Have you had any update from them? I've had issues with this and some of the user reports. For it being a Splunk supported app, its kind of clunky.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!