All Apps and Add-ons

Splunk App for Windows Infrastructure: Why is there no data under Group Policy (GPO) Changes?

Communicator

So I am trying to get the Windows Infrastructure all configured. For the most part I think I have it configured right but something are not working.

If I go into Active Directory Topology report - I can see the domains - looks like a lot of the dashboards are working... I want to make sure that I can watch Group Policy Changes... I have auditing turned on at the domain controller and have verified that events are being logged - viewed them in the security log.

When I go to Splunk > Windows Infra App > Active Directory > Group Policy > Group Policy Changes

The account domain field, Administrator, and GPO Name on the right hand side states "Search produced no results"

Change to last 7 days to make sure - nothing....

Is this pulled from the event log entries that are created with auditing turned on, or via LDAP quesries of some sort??

Any help to get this working would be appreciated.

Thanks
John

Engager

I've been having the same issue since installing Splunk, but I was able to resolve it this morning by enabling Audit file system global object access in the Default Domain Controllers Policy.

This is on 2012R2 server running at 2008R2 functional level.

Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Global Object Access Auditing > File System
Set the Principal to Everyone
Set the Type to Success
Set Permissions to
Create Files / write data
Create folders / append data
Write Attributes
Write extended attributes
Delete subfolders and files
Delete
Change Permissions
Take Ownership

Hope that helps.

0 Karma

Explorer

I am also having similar problem with Event Monitoring Dashboard. Log Name drop down is showing no results

0 Karma

Explorer

do you have any news regarding this topic? We are facing exactly the same issue

0 Karma

Communicator

PS - Even called splunk support on this as we have a support contract. They have been unable to help resolve.

0 Karma

Communicator

Honestly I gave up trying to figure it out. It hasn't worked since we installed. Yes we are logging those events. Followed the instructions for installation etc. You can manually search for the events and they come up sone - just not in this addon.

0 Karma

Path Finder

I'm in the same boat. It's the only piece of the infrastructure app that I don't have working.

0 Karma

Splunk Employee
Splunk Employee

Make sure your GPO is auditing those events. http://docs.splunk.com/Documentation/MSApp/1.2.0/MSInfra/ConfigureActiveDirectoryauditpolicy . Specifically make sure that you are auditing policy change. Once you do that, any changes to GPO will be written to the Windows Security Event Log. Those are logged as event code 4662.

You can search your Splunk instance for sourcetype="WinEventLog:Security" EventCode=4662 . To see if any events are there. Once they show up, the dashboard should start populating.

0 Karma

Path Finder

I've done the above and it still doesnt populate the dashboard as mentioned above.

0 Karma

Path Finder

Have you send a ticket to Splunk yet? Did they respond you with any solutions? I am facing the same issue as well.

0 Karma

Path Finder

Yes I submitted a ticket. I was told to run a diag on my splunk server which ended up hanging and never completing.

I emailed the rep and informed him/her of this and haven't received any word back. I've loved Splunk up to the point of having to actually open tickets with them. I find that it's mostly a 1 day response time on any email I submit.

I will update this post with any findings.

0 Karma

Path Finder

Thanks a lot! Hopefully they get back to you soon! It seems this particular dashboard is having issues since few years back and somehow it was never solved.

0 Karma

Splunk Employee
Splunk Employee

Are you seeing Events 4662 in your EventLog if you go direct to the Windows Event Log?

0 Karma

Path Finder

Yes I am. Verified at few instances of that entry in the event log.

0 Karma

Splunk Employee
Splunk Employee

I'd recommend starting a ticket with Splunk. This is a supported app.

0 Karma

New Member

I'm having the same issue. Any help would be appreciated.

0 Karma

Communicator

Have not gotten this working yet - have not had time. I need to call back into support at some point. I will update it I get it working.

Engager

Have you had any update from them? I've had issues with this and some of the user reports. For it being a Splunk supported app, its kind of clunky.

0 Karma