All Apps and Add-ons

Splunk app forActive Direcoty - All data are going to main index

rbw78
Communicator

Hello

I'm having an issue with Splunk app for Active Directory
All the data are index to the main index, that make the app unsable as it search into the index msad, perform and winevents.

I've installed Windows TA on the Windows servers and the Splunk instance side.
I've used the latest version downloaded here
http://splunk-base.splunk.com/apps/28933/splunk-for-windows-technology-add-on

On the windows servers monitored :
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows

On the servers side
/opt/splunk/etc/apps/Splunk_for_ActiveDirectory/appserver/addons/TA-DomainController-NT6/local
With the inputs.conffile like this :

[WinEventLog:DFS Replication]
disabled=0
sourcetype="WinEventLog:DFS Replication"
index=winevents
queue=parsingQueue

#
# Application and Services Logs - Directory Service
#
[WinEventLog:Directory Service]
disabled=0
sourcetype="WinEventLog:Directory Service"
index=winevents
queue=parsingQueue

#
# Application and Services Logs - File Replication Service
#
[WinEventLog:File Replication Service]
disabled=0
sourcetype="WinEventLog:File Replication Service"
index=winevents
queue=parsingQueue

#
# Application and Services Logs - Key Management Service
#
[WinEventLog:Key Management Service]
disabled=0
sourcetype="WinEventLog:Key Management Service"
index=winevents
queue=parsingQueue

#
# Collect Replication Information
#
[script://.\bin\runpowershell.cmd ad-repl-stat.ps1]
source=Powershell
sourcetype=MSAD:NT6:Replication
interval=300
index=msad
disabled=false

#
# Collect Health and Topology Information
#
[script://.\bin\runpowershell.cmd ad-health.ps1]
source=Powershell
sourcetype=MSAD:NT6:Health
interval=300
index=msad
disabled=false

#
# Collect Site, Site Link and Subnet Information
#
[script://.\bin\runpowershell.cmd siteinfo.ps1]
source=Powershell
sourcetype=MSAD:NT6:SiteInfo
interval=3600
index=msad
disabled=false

#
# Perfmon Collection
#
[perfmon://Processor]
object = Processor
counters = *
instances = *
interval = 10
disabled = 0
index=perfmon

[perfmon://Memory]
object = Memory
counters = *
interval = 10
disabled = 0
index=perfmon

[perfmon://Network_Interface]
object = Network Interface
counters = *
instances = *
interval = 10
disabled = 0
index=perfmon

[perfmon://DFS_Replicated_Folders]
object = DFS Replicated Folders
counters = *
instances = *
interval = 30
disabled = 0
index=perfmon

[perfmon://NTDS]
object = NTDS
counters = *
interval = 10
disabled = 0
index=perfmon

#
# ADMon Collection
#
[script://$SPLUNK_HOME\bin\scripts\splunk-admon.path]
interval=3600
disabled=false
index=msad

#
# Subnet Affinity Log
#
[monitor://C:\Windows\debug\netlogon.log]
sourcetype=MSAD:NT6:Netlogon
disabled=false
index=msad

I got data from the execution of the scripts as i find these sourcetypes into the main index :
- WinEventLog:Security
- WinEventLog:System
- fs_notification
- WinEventLog:Application
- ActiveDirectory
- WinEventLog:Setup

I guess i've followed all the steps to install and configure the app by following this tutorial but it seems i've done something wrong ...
http://docs.splunk.com/Documentation/ActiveDirectory/latest/DeployAD/Deploymentprocess
I've already looked for my mistake but without success

Could someone help me to troubleshoot this ?

Thanks.

0 Karma

rbw78
Communicator

Well i resolved my issue by copying the files into the Windows TA from the "default" folder to the "local" folder especially inputs.conf.
The 3 index are now receiving data, i saw the number indexed events growing from 0 to n.

Anyway there's still nothing on the splunk app for active directory interface ...
I got now the message "no matching fields exist".

This is really frustrating

0 Karma

rbw78
Communicator

Thanks for the link knewter, i will have a look on it.

0 Karma

knewter
Engager

From what I've seen the best way to install the AD app is to leave everything default. Also, this blog post is very helpful.
http://blogs.splunk.com/2012/10/21/splunk-app-for-active-directory-and-the-top-10-issues/

0 Karma

knewter
Engager

Have you tried using btool to see if there is another inputs.conf taking precedence? What results do you get when you rund the following command:
./splunk cmd btool inputs list --debug

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...