I installed and configured Splunk App for Windows Infrastructure.
With this I install: Splunk Add-on for PowerShell, Splunk Supporting Add-on for Active Directory (and configure it "Connection test for default succeeded"), Splunk Add-on for Microsoft Active Directory, Splunk Add-on for Microsoft Windows DNS, Splunk Add-on for Microsoft Windows.
When I configure it and I complete all requirements I see only one server (self Splunk) but I don't see any domain controllers.
Where I must add domain controllers?
✓
Splunk v6.6.0+
OK: Splunk v7.1.3 detected
OK: Key value store is enabled. Learn more.
✓
Splunk Add-on for Microsoft Windows v4.8.3 or 4.8.4
OK: Splunk Add-on for Microsoft Windows v4.8.4 detected
✓
Splunk Supporting Add-on for Microsoft Windows Active Directory v2.1.7
OK: Splunk Supporting Add-on for Microsoft Windows Active Directory v2.1.7 detected
✓
Users and/or groups configured with the winfra-admin user role:
I think that problem with powershell module.
I have indexes (msad, perfmon, ...). I have sourcetypes (MSAD:NT6:..., Perfmon:..., ... )
1
And in sourcetype="Powershell:ScriptExecutionSummary" I have errors:
tcp://splunk-01:9389/ActiveDirectoryWebServices/Windows/Resource.
2
Exception="Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException: Не удалось найти сервер каталогов с удостоверением: "SPLUNK-01".
Splunk try connect to self as to DC, but it no DC... How I can configure real DC for connection?
are you bringing data from your domain controllers and other windows hosts?
yes. But when I open predefined dashboards, such as users reports: disabled I can't select domain.
Or in other reports, where I must select domain, site, controllers - this dropdowns is empty.
I think that splunk try to read domain info from splunk server, but not from real DC.