All Apps and Add-ons

Splunk for Windows Infrastructure: Search has no information, it's waiting for input or no results found

hichem_khalfi
Path Finder

Hello
please I will ask several questions and thank you for taking step by step because I am a student and this is my first time using splunk enterprise:
I want to monitor my active directory I found the application "splunk for windows infrastructure"

I have successfully configured add on Splunk_TA_microsoft_ad on the portal.

of course these 2 add ons exist in C:\Program Files\SplunkUniversalForwarder\etc\apps on my active directory server
for licensing reasons I only enabled index [WinEventLog://Security] for the input of the add on Splunk_TA

[WinEventLog://Security]
disabled = 0
start_from oldest
current_only = 0
evt_resolve_ad_obj = 1
Interval checkpoint = 5
whitelist=
4724,4725,4726,4624,4625,4720,4732,4722,4738,4742,4729,4715,4719
blacklist1 = EventCode="4662" Message="Object Type: (?!
\s*group Policy Container)"
blacklist2 = EventCode="566" Message="Object Type: (?!
\s*group PolicyContainer)"
renderXml=true

and I created the local folder from which I copied the input.con and app.conf files after modification.


but when I run the Splunk for windows infrastructure application I find no information: either the search is waiting for input or no results found.

I don't know what configuration I missed.
Of course, I deactivated the firewall carefully and when I do raw searches with search and reporting I got the information so the logs are sent from the server but there is a problem at the application level


If not, do you have another proposal for AD monitoring??

and thank you

Labels (3)
0 Karma

hichem_khalfi
Path Finder

@SinghK @gcusello please i'm sorry 

i'm trying to verify my job 

how can i Tell the deployment server to reload its deployment configuration with powershell because  i find only for linux method

 cd \Program Files\Splunk\bin
> .\splunk reload deploy-server

 

0 Karma

SinghK
Builder

run that from linux command line 

you will be running that as splunk user

else you need to put in the complete path of you bin directory 

/opt/splunk/bin/splunk reload deploy-server.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hichem_khalfi,

this isn't a Powershell command, it's a Splunk CLI command that you can run on Windows opening a cmd session with Administrative grants (run as administrator).

This command is useful to force the deploy of new configurations, if you don't force it, it will be anyway deployed after few minutes.

Ciao.

Giuseppe

0 Karma

hichem_khalfi
Path Finder

ok thanks

i try to unistall all and i'm rebolt evrythink from the begin

i have an issue to deploy the TA_windows_AD, when i want to check the data with the command: host="myhost".....

i have nothing, i have only this notification :

Eventtype 'wineventlog_security' does not exist or is disabled

and this message :
Now skipping indexing of internal audit events, because the downstream queue is not accepting data. Will keep dropping events until data flow resumes. Review system health: ensure downstream indexing and/or forwarding are operating correctly.

 

@gcusello @SinghK  i'm sorry 

0 Karma

SinghK
Builder

In your inputs [WinEventLog://Security]

[WinEventLog://Security]

index= <your index name here>
disabled = 0
start_from oldest
current_only = 0
evt_resolve_ad_obj = 1
Interval checkpoint = 5
whitelist=
4724,4725,4726,4624,4625,4720,4732,4722,4738,4742,4729,4715,4719
blacklist1 = EventCode="4662" Message="Object Type: (?!
\s*group Policy Container)"
blacklist2 = EventCode="566" Message="Object Type: (?!
\s*group PolicyContainer)"
renderXml=true

Add index = your index name thats how it will know where to send data.

Then in search bar search your index 

Index= your index and too should see the data.

 

 

 

0 Karma

hichem_khalfi
Path Finder

les informations sont indexés automatiquement sous index= main

quand je lance index= main source WinEventLog:Security.....je recois les evenements.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hichem_khalfi,

at first, are you receiving other logs from that Forwarder?

you can check on Splunk server running the following search:

index=_internal host=your_host

if not, there a problem in log sending, you have to check:

  • the connection, running from CLI "telnet indexer_IP_address 9997",
  • the outputs.conf on your Forwarder.

if yes, you have to check the confioguration of your local inputs.conf, could you share it?

Did you restarted Splunk on Forwarder after inputs.conf update?

Ciao.

Giuseppe

hichem_khalfi
Path Finder

please i did a copy for all the configuration in a pdf file

check it

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hichem_khalfi,

configurations seem to be OK.

did you performed the other checks I asked'

Ciao.

Giuseppe

0 Karma

hichem_khalfi
Path Finder

oui oui c'est fait correctement 

déjà je suis en train de faire quelques recherches brutes et je trouve les informations

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hichem_khalfi,

sorry if I continue to speak in english but I don't speak French.

Let me understand:

you have Splunk internal logs from that server, but you haven't in index=main the other events, is this correct?

Ciao.

Giuseppe

0 Karma

hichem_khalfi
Path Finder

for me when I do classic research through search and reporting, I can get results
index = main ......eventid.....source.....
I can have events with this method
but when I switch to the splunk for windows infrastructure application that its search codes are ready automatically I do not receive any information or event

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @hichem_khalfi,

did you configured the App?

if I correctly remember (it's an archived App and I used it some years ago), it uses many lookups to generate executing searches during the initial setup phase.

Did you followed instructions at https://splunkbase.splunk.com/app/1680/#/details?

Ciao.

Giuseppe

 

0 Karma

hichem_khalfi
Path Finder

veuillez @gcusello @SinghK 

j’ai lu dans cette url

Installer l’application Splunk pour l’infrastructure Windows sur la tête de recherche - Documentatio...

cela:

Ajoutez le rôle « winfra-admin » à l’utilisateur qui exécutera l’application sur la tête de recherche

  1. Connectez-vous à Splunk Enterprise sur le déployeur.
  2. Dans la barre système, cliquez sur Paramètres > Contrôles d’accès.
  3. Cliquez sur Utilisateurs.
  4. Cliquez sur l’utilisateur qui exécutera l’application. Splunk Enterprise affiche la page d’informations pour l’utilisateur.
  5.  

 

mais je ne le trouve pas

0 Karma

SinghK
Builder

@hichem_khalfi  I am sorry , but i do not understand French.

But for the question below they are just asking to assign winfra-admin role to a user. It could be any user.

So first thing to check is settings -->User and Authentication --> Roles  and check if winfra-admin role exists. Only then you will be able to assign it to a user.

0 Karma

hichem_khalfi
Path Finder

exactly i c'ant fin it i dont know why 

0 Karma

SinghK
Builder

Did you follow the install instructions from the link posted by @gcusello

or if you did not can you just goto this link and or above one and verify if all is installed correctly.

https://docs.splunk.com/Documentation/MSApp/2.0.4/MSInfra/HowtodeploytheSplunkAppforWindowsInfrastru... 

0 Karma

SinghK
Builder

Yeah, you will have to setup the app's searches as per your environment. update index details etc. in order for it to work properly. 

hichem_khalfi
Path Finder

that is my problem, i d'ont know jow i do that

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...