All Apps and Add-ons

Splunk App for Windows Infrastructure - deployment issues

Explorer

Hi,

I'm trying to deploy Splunk App for Windows Infrastructure on small AD environment (2 Domain Controllers and few other windows servers + 1 Splunk Indexer)

I installed everything according to the App specification but I'm getting very little information via the App itself now. I can see that I do not get any info re users or groups etc.

I noticed that powershell scripts aren't running OK i.e. below script should gather some Topology info but returns error (see the end of the post).

Any ideas what could go wrong?

[powershell://AD-Health]
script = & "$SplunkHome\etc\apps\TA-DomainController-2012R2\bin\Invoke-MonitoredScript.ps1" -Command ".\ad-health.ps1"
schedule = 0 */5 * ? * *
index = msad
source=Powershell
sourcetype=MSAD:NT6:Health
disabled=false

ParentIdentity="5e1ba9e1-f102-4156-8e0e-7abed0a5d1c3" ErrorIndex="0" ErrorMessage="A local error has occurred" PositionMessage="At C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-2012R2\bin\siteinfo.ps1:7 char:8 + $DC = Get-ADDomainController -Identity $ServerName + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" CategoryInfo="NotSpecified: (REDACTED:ADDomainController) [Get-ADDomainController], ADException" FullyQualifiedErrorId="ActiveDirectoryServer:8251,Microsoft.ActiveDirectory.Management.Commands.GetADDomainController" Exception="Microsoft.ActiveDirectory.Management.ADException: A local error has occurred ---> System.ServiceModel.FaultException1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADDomainControllerFault]: The lightweight directory access protocol (LDAP) operation failed. Server stack trace: at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.TopologyManagement.GetADDomainController(GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADDomainController(GetADDomainControllerRequest request) --- End of inner exception stack trace --- at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException faultException) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADDomainController(GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADTopologyManagement.GetADDomainController(ADSessionHandle handle, GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.ADTopologyManagement.GetDomainController(String[] dcNtdsSettingsDN) at Microsoft.ActiveDirectory.Management.Commands.ADDomainControllerFactory1.GetExtendedObjectFromIdentity(T identityObj, String identityQueryPath, ICollection1 propertiesToFetch, Boolean showDeleted) at Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase3.ADGetCmdletBaseProcessCSRoutine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase1.ProcessRecord()" InnerException="System.ServiceModel.FaultException1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADDomainControllerFault]: The lightweight directory access protocol (LDAP) operation failed. (Fault Detail is equal to schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADDomainControllerFault)."

0 Karma

Contributor

Hi africates,
Did you verify your ldap.conf?...
The following can also help
http://docs.splunk.com/Documentation/MSApp/1.0.2/MSInfra/EnableAuditingandPowerShellondomaincontroll...

0 Karma

Explorer

I ignored that Users, Computers and Groups weren't detected and checked these under 'App Configuration' & created lookups. I can see some reports when I do the search now but i.e. below (+more) are missing:
Users>Administrator Audit (Account Domain and Administrator - no results)

0 Karma

Explorer

OK, I think I'm getting somewhere.. I am able to run 'ldapsearch' using Splunk Support - LDAP Commands app. I can also see some indexes triggered by add-ons installed on DC (i.e. for TA-DomainController-2012R2 when executing: index=msad sourcetype=MSAD:NT6:Health).
I still however have problem with Splunk App for Windows Infrastructure. When I'm running 'App Configuration' I'm not getting: Users, Computers and Groups.
I was under impression that these are preconfigured in addons which I installed on the DCs but maybe these are not. What I should chec in inputs.conf? thanks

0 Karma

Explorer

Hi,

I had configured ldap.conf on the Splunk server (\\c$\Program Files\Splunk\etc\apps\SA-ldapsearch\local\ldap.conf) - see the config below.

I also enabled auditing and Powershell script execution on AD servers via GPO.

The only thing which I skipped from the whole installation guide was setting up AD user for Splunk server. Instead of that I am running Splunk server service as domain administrator temporarily which I believe should be fine.

Any other ideas? Maybee there is some way of debugging the whole process?

[default]
server =

[my-domain.local]
server = ;
basedn = DC=my-domain,DC=local
binddn = cn=user,OU=Managed Service Accounts,DC=my-domain,DC=local
password = xxx
alternatedomain = MY-DOMAIN

thanks
p

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!