I'm trying to deploy Splunk App for Windows Infrastructure on small AD environment (2 Domain Controllers and few other windows servers + 1 Splunk Indexer)
I installed everything according to the App specification but I'm getting very little information via the App itself now. I can see that I do not get any info re users or groups etc.
I noticed that powershell scripts aren't running OK i.e. below script should gather some Topology info but returns error (see the end of the post).
Any ideas what could go wrong?
script = & "$SplunkHome\etc\apps\TA-DomainController-2012R2\bin\Invoke-MonitoredScript.ps1" -Command ".\ad-health.ps1"
schedule = 0 */5 * ? * *
index = msad
ParentIdentity="5e1ba9e1-f102-4156-8e0e-7abed0a5d1c3" ErrorIndex="0" ErrorMessage="A local error has occurred" PositionMessage="At C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-2012R2\bin\siteinfo.ps1:7 char:8 + $DC = Get-ADDomainController -Identity $ServerName + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" CategoryInfo="NotSpecified: (REDACTED:ADDomainController) [Get-ADDomainController], ADException" FullyQualifiedErrorId="ActiveDirectoryServer:8251,Microsoft.ActiveDirectory.Management.Commands.GetADDomainController" Exception="Microsoft.ActiveDirectory.Management.ADException: A local error has occurred ---> System.ServiceModel.FaultException
1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADDomainControllerFault]: The lightweight directory access protocol (LDAP) operation failed. Server stack trace: at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object ins, Object outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at : at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.TopologyManagement.GetADDomainController(GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADDomainController(GetADDomainControllerRequest request) --- End of inner exception stack trace --- at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException faultException) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADDomainController(GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADTopologyManagement.GetADDomainController(ADSessionHandle handle, GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.ADTopologyManagement.GetDomainController(String dcNtdsSettingsDN) at Microsoft.ActiveDirectory.Management.Commands.ADDomainControllerFactory1.GetExtendedObjectFromIdentity(T identityObj, String identityQueryPath, ICollection
1 propertiesToFetch, Boolean showDeleted) at Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase3.ADGetCmdletBaseProcessCSRoutine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase
1.ProcessRecord()" InnerException="System.ServiceModel.FaultException1[schemas.microsoft.com.2008.1.ActiveDirectory.CustomActions.GetADDomainControllerFault]: The lightweight directory access protocol (LDAP) operation failed. (Fault Detail is equal to schemas.microsoft.com.2008.1.ActiveDirectory.CustomActions.GetADDomainControllerFault)."
I had configured ldap.conf on the Splunk server (\
I also enabled auditing and Powershell script execution on AD servers via GPO.
The only thing which I skipped from the whole installation guide was setting up AD user for Splunk server. Instead of that I am running Splunk server service as domain administrator temporarily which I believe should be fine.
Any other ideas? Maybee there is some way of debugging the whole process?
basedn = DC=my-domain,DC=local
binddn = cn=user,OU=Managed Service Accounts,DC=my-domain,DC=local
password = xxx
alternatedomain = MY-DOMAIN
OK, I think I'm getting somewhere.. I am able to run 'ldapsearch' using Splunk Support - LDAP Commands app. I can also see some indexes triggered by add-ons installed on DC (i.e. for TA-DomainController-2012R2 when executing: index=msad sourcetype=MSAD:NT6:Health).
I still however have problem with Splunk App for Windows Infrastructure. When I'm running 'App Configuration' I'm not getting: Users, Computers and Groups.
I was under impression that these are preconfigured in addons which I installed on the DCs but maybe these are not. What I should chec in inputs.conf? thanks
I ignored that Users, Computers and Groups weren't detected and checked these under 'App Configuration' & created lookups. I can see some reports when I do the search now but i.e. below (+more) are missing:
Users>Administrator Audit (Account Domain and Administrator - no results)