Solved: Stop logging windows replication - sourcetype = MS...

schultet · ‎01-29-2015

Is there a way to stop the flood of windows replication log entries - I think I would only need to know on failures

Thanks
Tom

schultet · ‎02-12-2015

In accordance with one of installation guidelines I added these apps to each of my domain controllers" TA-DNSServer-NT6 and TA_DomianController-NT6

When I removed these apps the Replication , Site Info and Health logging stopped.

View solution in original post

schultet · ‎02-12-2015

In accordance with one of installation guidelines I added these apps to each of my domain controllers" TA-DNSServer-NT6 and TA_DomianController-NT6

When I removed these apps the Replication , Site Info and Health logging stopped.

schultet · ‎02-04-2015

No Repsonse yet. hmmmm. Anybody know how to stop the flood of these events

sourcetype = MSAD:NT6:Health

sourcetype = MSAD:NT6:SiteInfo

schultet · ‎02-06-2015

So I am norrowing in on the culprit - I have disable all logging related to Replication on my Domain Controllers but still getting 10,000s replication, DNS siteinfo and Health reports daily.

The source = Powershell finally tipped me off that there is no PowerShell event log that I can find in the Windows event viewer. Doing some more google-foo and found a blog about Splunk server executing Powershell commands
http://blogs.splunk.com/?s=powershell+replication

Does anybody know where these powershell commands are located and if I can modify or stop them all together?

schultet · ‎02-06-2015

And if you do know how - Id like to be able to get any failed replication events or failed DNS events just not 10,000 information events per server per day

schultet · ‎02-06-2015

So simply doing a search on my Splunk server with the word "Powershell" I found some scripts in:

E:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\appserver\addons\common\bin
E:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\appserver\addons\TA-DNSServer-NT5\bin\powershell
E:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\appserver\addons\TA-DNSServer-NT6\bin
E:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\appserver\addons\TA-DomainController-NT6\bin

Like this one: ad-repl-stat.ps1

Import-Module ActiveDirectory -ErrorAction SilentlyContinue
Get-ADReplicationPartnerMetaData -Target $env:ComputerName -PartnerType Inbound -Partition * | %{
$src_host = Get-ADObject -Filter * -SearchBase $.Partner.Replace("CN=NTDS Settings,","") `
-SearchScope Base -Properties dNSHostName
New-Object PSObject -Property @{
LastAttemptedSync = $.LastReplicationAttempt
LastSuccessfulSync = $.LastReplicationSuccess
type = "ReplicationEvent"
usn = $.LastChangeUsn
src_host = $src_host.dNSHostName
Result = $.LastReplicationResult
transport = $.IntersiteTransportType
naming_context = $_.Partition
}

}

I have both 2008R2 and 2012R2 Domain Controllers - I'm not sure which scripts need to be modified and if they need to be modified on the Splunk Server or on the Domain Controllers. Any help or direction would be appreciated

schultet · ‎02-06-2015

I may have found the answer: Settings --> Data Inputs --> Scripts

I disable these three scripts

E:\Program Files\Splunk\etc\apps\TA-DomainController-NT6\bin\runpowershell.cmd ad-health.ps1

E:\Program Files\Splunk\etc\apps\TA-DomainController-NT6\bin\runpowershell.cmd ad-repl-stat.ps1

E:\Program Files\Splunk\etc\apps\TA-DomainController-NT6\bin\runpowershell.cmd siteinfo.ps1

schultet · ‎02-06-2015

NOPE! Still getting these I even renamed the scripts in the folder. There is some sort of bug here. I will need to open a case with support I guess. Cheers! Yay!

Stop logging windows replication - sourcetype = MSAD:NT6:Replication

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms