I am trying to configure the Splunk App for Windows Infrastructure. My topology includes 2 Windows Domain Controllers, one Windows Exchange Server, one win File Server, and 2 cisco devices. Windows machines are running a universal forwarder each, an indexer runs splunk enterprise 6.2.1 on ubuntu 14 and there is no Search Head. The indexer is responsible for both indexing and searching.
About the app, the following is set up:
Splunk Add-on for Microsoft Windows v4.7.3
Splunk Supporting Add-on for Microsoft Windows Active Directory v2.0.1
The user with winfra-admin user role and everything is marked with a green "tick". Besides that, continuing the wizard I get the following error:
Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours
I read that Splunk Supporting Add-on for Microsoft Windows Active Directory should be installed on the search head (which is not present in my topology because I found there is no need to have one). Does anyone know what might be the problem?
Have you added the AD relevant TA:s to the domain controllers? MSAD data is generally grabbed through powershell scripts running on the domain controller. (You need powershell execution rights as well for this to work)
People....I am confused like big time here....!!
Is there any other add-on than Splunk Supporting Add-on for Active Directory ??
No. There are no other add-ons than the ones you listed. As well, the Splunk Supporting Add-on for Active Directory is not applicable to the problems you experience.
Please read my response from 2 days ago as a starting point.
Also, in the documentation I see that The Splunk Supporting Add-on for Active Directory can be installed on a search head.
It does not perform any function when installed on a forwarder or indexer . Am I doing something wrong?
My topology does not have a search head. Am I able to setup this app ??
If you do not have a search head in your topology, then your indexer is the search head by default. So there is no issue there.
The data check for Active Directory is failing. This is because either:
msadindex does not exist on your indexer
msadindex - they only do this if you installed the correct Active Directory add-on in the universal forwarder on each DC.
msadindex by default.
More info at the Splunk App for Windows Infrastructure Troubleshooting Page.
Like malmoore says,
You need more than the configuration on the search head / indexer for this to work. Please review his answer and verify that you have an MSAD index, and that you have installed the correct addon on the DOMAIN CONTROLLERS.
Thanks for your answer!
Do you mean the Splunk Supporting Add-on for Microsoft Windows Active Directory v2.0.1 ? I have this one installed on the indexer and it is marked as OK.