I have setup the free version of Splunk and installed the Splunk App for Active Directory. I am trying to pilot a POC to our IT leadership with hopes to budget for and purchase Enterprise licensing early next year. Unfortunately, I do not seem to be receiving any data from the UF installed on our Domain Controller. I have read through all of the online documentation I can find and followed it to the best of my ability, but I’m assuming I’m missing some critical step or have misconfigured something. We are a single domain, single forest, and are running at a forest/domain functional level of 2003. So far I have:
• Deployed new Windows Server 2008 R2 Standard, fully patched
• Installed single Splunk instance as primary deployment server, indexer, and search head
• Enabled AD Auditing and script execution via GPO
• Downloaded Splunk App for Active Directory and Splunk TAs for Windows
• Copied Splunk TA Windows, TA-DomainController-NT6, and TA-DNSServer-NT6 to Splunk\etc\deployment-apps on Splunk server
• Configured serverclass.conf on deployment server
• Installed UF on Windows Server 2008 R2 Domain Controller, and configured to point to deployment server on port 8089
• Installed SA-ldapsearch, Sideview Utils, Splunk App for Active Directory, and Splunk TAs for Windows on Splunk server
• Configured ldap.conf and eventtypes.conf
• Restarted Splunk server and UF
• Confirmed that the UF on the DC received the deployed apps
I’ve searched the Splunkbase and online documentation, and can’t determine why I’m not receiving any data from the UF. Any help you can provide would be very helpful. Let me know if you need me to provide any sort of logs or config files to better troubleshoot.
Thanks for the suggestion. I just checked and there are multiple metrics.log logs. So it would appear the UF is at least collecting date, right?
try this search. This will tell you if there is any through put coming over your recieving port on your indexer.
index=internal source="%splunk%\var\log\splunk\metrics.log" destPort=9997 | bucket _time span=1m | stats sum(tcpKBps) as thruput by _time, hostname
If you modified the splunk path to be your specific path then it seems that you have a basic communication issue. Are there any events for
index=_internal source="%splunk%\var\log\splunk\metrics.log" destPort=9997
Have you configured your UF to forward over port 9997 to your indexer?
Try using portqry.exe from Microsoft to test your ports
Since nothing is coming across, check these things:
1) Do you have Windows Firewall turned on for your Splunk Indexer? If you do, you need to either turn it off or add an exception in for the TCP port you are using to receive data
2) Have you set up a Receiver for the UF to indexer data transfer on the Splunk Indexer?
3) Do you have an appropriate outputs.conf on your UF
4) Do you have a firewall on the UF that prevents you from communicating with the indexer?
One of those four should get data flowing to the indexer. Once you have that, everything else should "just work"
Thanks for the suggestions. I can confirm that no firewall is turned on for either the UF or Indexer. The receiver has been setup on the indexer on port 9997, and from what I can see on the UF there does not appear to be traffic transmitting on that port.
I will post my outputs.conf file in another comment. If you could take a look and let me know if you notice anything off about it, I would appreciate it.
autoLB = true
maxQueueSize = 500KB
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = _audit
forwardedindex.filter.disable = false
indexAndForward = false
autoLBFrequency = 30
blockOnCloning = true
compressed = false
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
heartbeatFrequency = 30
maxFailuresPerInterval = 2
secsInFailureInterval = 1
maxConnectionsPerIndexer = 2
sendCookedData = true
connectionTimeout = 20
readTimeout = 300
writeTimeout = 300
useACK = false
If thats the whole of outputs.conf, then there is no IP address of your indexer there. Take a look at this page: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configureforwarderswithoutputs.confd
You can create a TA-forwarder on your deployment server and push an outputs.conf file out to your forwarder if that piece is working.