Is there a way to stop the flood of windows replication log entries - I think I would only need to know on failures
Thanks
Tom
In accordance with one of installation guidelines I added these apps to each of my domain controllers" TA-DNSServer-NT6 and TA_DomianController-NT6
When I removed these apps the Replication , Site Info and Health logging stopped.
In accordance with one of installation guidelines I added these apps to each of my domain controllers" TA-DNSServer-NT6 and TA_DomianController-NT6
When I removed these apps the Replication , Site Info and Health logging stopped.
No Repsonse yet. hmmmm. Anybody know how to stop the flood of these events
sourcetype = MSAD:NT6:Health
sourcetype = MSAD:NT6:SiteInfo
So I am norrowing in on the culprit - I have disable all logging related to Replication on my Domain Controllers but still getting 10,000s replication, DNS siteinfo and Health reports daily.
The source = Powershell finally tipped me off that there is no PowerShell event log that I can find in the Windows event viewer. Doing some more google-foo and found a blog about Splunk server executing Powershell commands
http://blogs.splunk.com/?s=powershell+replication
Does anybody know where these powershell commands are located and if I can modify or stop them all together?
And if you do know how - Id like to be able to get any failed replication events or failed DNS events just not 10,000 information events per server per day
So simply doing a search on my Splunk server with the word "Powershell" I found some scripts in:
E:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\appserver\addons\common\bin
E:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\appserver\addons\TA-DNSServer-NT5\bin\powershell
E:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\appserver\addons\TA-DNSServer-NT6\bin
E:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\appserver\addons\TA-DomainController-NT6\bin
Like this one: ad-repl-stat.ps1
Import-Module ActiveDirectory -ErrorAction SilentlyContinue
Get-ADReplicationPartnerMetaData -Target $env:ComputerName -PartnerType Inbound -Partition * | %{
$src_host = Get-ADObject -Filter * -SearchBase $.Partner.Replace("CN=NTDS Settings,","") `
-SearchScope Base -Properties dNSHostName
New-Object PSObject -Property @{
LastAttemptedSync = $.LastReplicationAttempt
LastSuccessfulSync = $.LastReplicationSuccess
type = "ReplicationEvent"
usn = $.LastChangeUsn
src_host = $src_host.dNSHostName
Result = $.LastReplicationResult
transport = $.IntersiteTransportType
naming_context = $_.Partition
}
}
I have both 2008R2 and 2012R2 Domain Controllers - I'm not sure which scripts need to be modified and if they need to be modified on the Splunk Server or on the Domain Controllers. Any help or direction would be appreciated
I may have found the answer: Settings --> Data Inputs --> Scripts
I disable these three scripts
E:\Program Files\Splunk\etc\apps\TA-DomainController-NT6\bin\runpowershell.cmd ad-health.ps1
E:\Program Files\Splunk\etc\apps\TA-DomainController-NT6\bin\runpowershell.cmd ad-repl-stat.ps1
E:\Program Files\Splunk\etc\apps\TA-DomainController-NT6\bin\runpowershell.cmd siteinfo.ps1
NOPE! Still getting these I even renamed the scripts in the folder. There is some sort of bug here. I will need to open a case with support I guess. Cheers! Yay!