All Apps and Add-ons

Trouble Setting Up Splunk App for Active Directory

jakob2534
New Member

I have setup the free version of Splunk and installed the Splunk App for Active Directory. I am trying to pilot a POC to our IT leadership with hopes to budget for and purchase Enterprise licensing early next year. Unfortunately, I do not seem to be receiving any data from the UF installed on our Domain Controller. I have read through all of the online documentation I can find and followed it to the best of my ability, but I’m assuming I’m missing some critical step or have misconfigured something. We are a single domain, single forest, and are running at a forest/domain functional level of 2003. So far I have:

• Deployed new Windows Server 2008 R2 Standard, fully patched

• Installed single Splunk instance as primary deployment server, indexer, and search head

• Enabled AD Auditing and script execution via GPO

• Downloaded Splunk App for Active Directory and Splunk TAs for Windows

• Copied Splunk TA Windows, TA-DomainController-NT6, and TA-DNSServer-NT6 to Splunk\etc\deployment-apps on Splunk server

• Configured serverclass.conf on deployment server

• Installed UF on Windows Server 2008 R2 Domain Controller, and configured to point to deployment server on port 8089

• Installed SA-ldapsearch, Sideview Utils, Splunk App for Active Directory, and Splunk TAs for Windows on Splunk server

• Configured ldap.conf and eventtypes.conf

• Restarted Splunk server and UF

• Confirmed that the UF on the DC received the deployed apps

I’ve searched the Splunkbase and online documentation, and can’t determine why I’m not receiving any data from the UF. Any help you can provide would be very helpful. Let me know if you need me to provide any sort of logs or config files to better troubleshoot.

Thanks

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

Since nothing is coming across, check these things:

1) Do you have Windows Firewall turned on for your Splunk Indexer? If you do, you need to either turn it off or add an exception in for the TCP port you are using to receive data
2) Have you set up a Receiver for the UF to indexer data transfer on the Splunk Indexer?
3) Do you have an appropriate outputs.conf on your UF
4) Do you have a firewall on the UF that prevents you from communicating with the indexer?

One of those four should get data flowing to the indexer. Once you have that, everything else should "just work"

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

If thats the whole of outputs.conf, then there is no IP address of your indexer there. Take a look at this page: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd

You can create a TA-forwarder on your deployment server and push an outputs.conf file out to your forwarder if that piece is working.

0 Karma

jakob2534
New Member

[tcpout]
autoLB = true
maxQueueSize = 500KB
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false
indexAndForward = false
autoLBFrequency = 30
blockOnCloning = true
compressed = false
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
heartbeatFrequency = 30
maxFailuresPerInterval = 2
secsInFailureInterval = 1
maxConnectionsPerIndexer = 2
sendCookedData = true
connectionTimeout = 20
readTimeout = 300
writeTimeout = 300
useACK = false

0 Karma

jakob2534
New Member

Thanks for the suggestions. I can confirm that no firewall is turned on for either the UF or Indexer. The receiver has been setup on the indexer on port 9997, and from what I can see on the UF there does not appear to be traffic transmitting on that port.

I will post my outputs.conf file in another comment. If you could take a look and let me know if you notice anything off about it, I would appreciate it.

0 Karma

bmacias84
Champion

If you modified the splunk path to be your specific path then it seems that you have a basic communication issue. Are there any events for


index=_internal source="%splunk%\var\log\splunk\metrics.log" destPort=9997

- Have you configured your Indexer to receive data on port 9997 (default port)?

  • Have you configured your UF to forward over port 9997 to your indexer?

  • Try using portqry.exe from Microsoft to test your ports

0 Karma

jakob2534
New Member

Says: "No results found."

0 Karma

bmacias84
Champion

try this search. This will tell you if there is any through put coming over your recieving port on your indexer.


index=_internal source="%splunk%\var\log\splunk\metrics.log" destPort=9997 | bucket _time span=1m | stats sum(tcp_KBps) as thruput by _time, hostname

0 Karma

jakob2534
New Member

Thanks for the suggestion. I just checked and there are multiple metrics.log logs. So it would appear the UF is at least collecting date, right?

0 Karma

bmacias84
Champion

Have you verified that that your UF is sending any data? Ccheck _internal look for metrics.log and your UF.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...