All Apps and Add-ons
Highlighted

Splunk App for Windows Infrastructure - deployment issues

Explorer

Hi,

I'm trying to deploy Splunk App for Windows Infrastructure on small AD environment (2 Domain Controllers and few other windows servers + 1 Splunk Indexer)

I installed everything according to the App specification but I'm getting very little information via the App itself now. I can see that I do not get any info re users or groups etc.

I noticed that powershell scripts aren't running OK i.e. below script should gather some Topology info but returns error (see the end of the post).

Any ideas what could go wrong?

[powershell://AD-Health]
script = & "$SplunkHome\etc\apps\TA-DomainController-2012R2\bin\Invoke-MonitoredScript.ps1" -Command ".\ad-health.ps1"
schedule = 0 */5 * ? * *
index = msad
source=Powershell
sourcetype=MSAD:NT6:Health
disabled=false

ParentIdentity="5e1ba9e1-f102-4156-8e0e-7abed0a5d1c3" ErrorIndex="0" ErrorMessage="A local error has occurred" PositionMessage="At C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-2012R2\bin\siteinfo.ps1:7 char:8 + $DC = Get-ADDomainController -Identity $ServerName + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" CategoryInfo="NotSpecified: (REDACTED:ADDomainController) [Get-ADDomainController], ADException" FullyQualifiedErrorId="ActiveDirectoryServer:8251,Microsoft.ActiveDirectory.Management.Commands.GetADDomainController" Exception="Microsoft.ActiveDirectory.Management.ADException: A local error has occurred ---> System.ServiceModel.FaultException1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADDomainControllerFault]: The lightweight directory access protocol (LDAP) operation failed. Server stack trace: at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.TopologyManagement.GetADDomainController(GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADDomainController(GetADDomainControllerRequest request) --- End of inner exception stack trace --- at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException faultException) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADDomainController(GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADTopologyManagement.GetADDomainController(ADSessionHandle handle, GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.ADTopologyManagement.GetDomainController(String[] dcNtdsSettingsDN) at Microsoft.ActiveDirectory.Management.Commands.ADDomainControllerFactory1.GetExtendedObjectFromIdentity(T identityObj, String identityQueryPath, ICollection1 propertiesToFetch, Boolean showDeleted) at Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase3.ADGetCmdletBaseProcessCSRoutine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase1.ProcessRecord()" InnerException="System.ServiceModel.FaultException1[schemas.microsoft.com.2008.1.ActiveDirectory.CustomActions.GetADDomainControllerFault]: The lightweight directory access protocol (LDAP) operation failed. (Fault Detail is equal to schemas.microsoft.com.2008.1.ActiveDirectory.CustomActions.GetADDomainControllerFault)."

0 Karma
Highlighted

Re: Splunk App for Windows Infrastructure - deployment issues

Contributor

Hi africates,
Did you verify your ldap.conf?...
The following can also help
http://docs.splunk.com/Documentation/MSApp/1.0.2/MSInfra/EnableAuditingandPowerShellondomaincontroll...

0 Karma
Highlighted

Re: Splunk App for Windows Infrastructure - deployment issues

Explorer

Hi,

I had configured ldap.conf on the Splunk server (\\c$\Program Files\Splunk\etc\apps\SA-ldapsearch\local\ldap.conf) - see the config below.

I also enabled auditing and Powershell script execution on AD servers via GPO.

The only thing which I skipped from the whole installation guide was setting up AD user for Splunk server. Instead of that I am running Splunk server service as domain administrator temporarily which I believe should be fine.

Any other ideas? Maybee there is some way of debugging the whole process?

[default]
server =

[my-domain.local]
server = ;
basedn = DC=my-domain,DC=local
binddn = cn=user,OU=Managed Service Accounts,DC=my-domain,DC=local
password = xxx
alternatedomain = MY-DOMAIN

thanks
p

0 Karma
Highlighted

Re: Splunk App for Windows Infrastructure - deployment issues

Explorer

OK, I think I'm getting somewhere.. I am able to run 'ldapsearch' using Splunk Support - LDAP Commands app. I can also see some indexes triggered by add-ons installed on DC (i.e. for TA-DomainController-2012R2 when executing: index=msad sourcetype=MSAD:NT6:Health).
I still however have problem with Splunk App for Windows Infrastructure. When I'm running 'App Configuration' I'm not getting: Users, Computers and Groups.
I was under impression that these are preconfigured in addons which I installed on the DCs but maybe these are not. What I should chec in inputs.conf? thanks

0 Karma
Highlighted

Re: Splunk App for Windows Infrastructure - deployment issues

Explorer

I ignored that Users, Computers and Groups weren't detected and checked these under 'App Configuration' & created lookups. I can see some reports when I do the search now but i.e. below (+more) are missing:
Users>Administrator Audit (Account Domain and Administrator - no results)

0 Karma