[indexer1.domain.com] Eventtype 'wineventlog-dns' does not exist or is disabled.
[indexer2.domain.com] Eventtype 'wineventlog-dns' does not exist or is disabled.
Extra info: I'm in a distributed Splunk environment. However, I'm not using indexer clustering.
./apps/splunk_app_windows_infrastructure/default/eventtypes.conf
[splunk@splunk-dev-1 etc]# vi apps/splunk_app_windows_infrastructure/default/eventtypes.conf
[msad-dns-events]
search = ((eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security) (Type=Warning OR Type=Error) DNS) OR (*eventtype=wineventlog-dns* (Type=Warning OR Type=Error))
[msad-account-lockout]
search = eventtype=wineventlog_security EventCode=4740
[msad-account-unlock]
search = eventtype=wineventlog_security EventCode=4767
[msad-ad-access]
search = eventtype=wineventlog_security EventCode=4662
[msad-admin-audit]
search = (eventtype=msad-group-changes OR eventtype=msad-groupmembership-changes OR eventtype=msad-computer-changes OR eventtype=msad-user-changes OR eventtype=msad-account-lockout OR eventtype=msad-account-unlock) user!="*$" src_user!="*$"
[msad-anomalous-events]
search = eventtype=msad-security-anomalous-events OR eventtype=msad-dirsvcs-anomalous-events
[msad-computer-changes]
search = eventtype=wineventlog_security (EventCode=4741 OR EventCode=4742 OR EventCode=4743)
[msad-dirsvcs-anomalous-events]
search = eventtype=wineventlog-ds (Type=Error OR Type=Warning OR EventCode=1458)
[msad-disabled-logons]
search = eventtype=wineventlog_security EventCode=4625 (Status=0xC000006E OR Status=0xC0000072 OR Status=0xC0000193)
[msad-dns-events]
search = ((eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security) (Type=Warning OR Type=Error) DNS) OR (eventtype=wineventlog-dns (Type=Warning OR Type=Error))
[msad-failed-computer-logons]
search = eventtype=wineventlog_security EventCode=4625 user="*$"
[msad-failed-user-logons]
search = eventtype=wineventlog_security (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) Keywords="Audit Failure")) user!="*$"
[msad-group-changes]
search = eventtype=wineventlog_security (EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR EventCode=4734 OR EventCode=4735 OR EventCode=4737 OR EventCode=4744 OR EventCode=4745 OR EventCode=4748 OR EventCode=4749 OR EventCode=4750 OR EventCode=4753 OR EventCode=4754 OR EventCode=4755 OR EventCode=4758 OR EventCode=4759 OR EventCode=4760 OR EventCode=4763 OR EventCode=4764)
[msad-groupmembership-changes]
search = eventtype=wineventlog_security (EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4746 OR EventCode=4747 OR EventCode=4751 OR EventCode=4752 OR EventCode=4756 OR EventCode=4757 OR EventCode=4761 OR EventCode=4762)
[msad-password-changes]
search = eventtype=wineventlog_security (EventCode=4723 OR EventCode=4724)
[msad-rep-errors]
search = eventtype=wineventlog-ds (EventCode=1014 OR EventCode=1083 OR EventCode=1084 OR EventCode=1203 OR EventCode=1307 OR EventCode=1308 OR EventCode=1311 OR EventCode=1566 OR EventCode=1699 OR EventCode=1800 OR EventCode=1801 OR EventCode=1865 OR EventCode=1925 OR EventCode=1926 OR EventCode=1988 OR EventCode=2087 OR EventCode=2088)
[msad-security-anomalous-events]
search = eventtype=wineventlog_security (Type=Error OR Type=Warning OR EventCode=512 OR EventCode=513 OR EventCode=516 OR EventCode=517 OR EventCode=1100 OR EventCode=1101 OR EventCode=1102 OR EventCode=1104 OR EventCode=4609 OR EventCode=4612 OR EventCode=1621)
[msad-successful-computer-logons]
search = eventtype=wineventlog_security EventCode=4624 user="*$"
[msad-successful-user-logons]
search = eventtype=wineventlog_security EventCode=4624 user!="*$"
[msad-user-changes]
search = eventtype=wineventlog_security (EventCode=4720 OR EventCode=4722 OR EventCode=4724 OR EventCode=4725 OR EventCode=4726 OR EventCode=4738 OR EventCode=4767 OR EventCode=4781 OR EventCode=4912) user!="*$"
[eventlog_Update_Successful]
search = sourcetype="*:System" "Installation Successful"
[eventlog_Update_Failed]
search = sourcetype="*:System" "Installation Failure"
[updatelog_Update_Successful]
search = sourcetype="WindowsUpdateLog" "Content Install" "Installation Successful"
[updatelog_Update_Failed]
search = sourcetype="WindowsUpdateLog" Failure "Content Install" "Installation Failure"
[Update_Successful]
search = eventtype=eventlog_Update_Successful OR eventtype=updatelog_Update_Successful
[Update_Failed]
search = eventtype=eventlog_Update_Failed OR eventtype=updatelog_Update_Failed
[Key_Events_On_Hosts]
search = \
( \
sourcetype="WinEventLog*" OR sourcetype="XmlWinEventLog*" \
(Type="*Error*" OR Type="*Fail*" OR EventCode=1074 OR EventCode=19 OR \
EventCode=20 OR EventCode=21 OR Eventcode=1001) \
) OR \
( \
sourcetype="WindowsUpdateLog" (status="installed" OR \
status="failure" OR status="restart required") \
)
description = This event type identifies key events on a host machine running Windows. \
Key events are defined as most commonly occurring scenarios on a Windows host that \
may require immediate attention or may explain issues seen on a host. hence the \
events collected by this event type include the following: \
1. Windows event log events from the System, Application or Security event log \
that indicate errors. \
2. Windows system event log event with event code 1074 for system reboots. Event codes \
600*s although useful in detecting the reboots of the event log itself are useful, \
they have been known to be noisy in reality and so excluded from this event type. \
3. Windows update event log events with event codes 19, 20 or 21 for installs, \
failures and required reboot scenarios. \
4. Windows update log actions indicating install, failure or install requiring reboots. \
Note: since event types dont support append command, we OR the source types.
"
Solved the problem:
Install https://splunkbase.splunk.com/app/1477/ on the universal forwarders for DC's/Print Servers/etc.
Install https://splunkbase.splunk.com/app/3208/ on UF's, like above, and Indexers, and searchheads.
Nothing from what you posted was legible or comprehensible. This is an utterly useless post to anybody who views it.
Solved the problem:
Install https://splunkbase.splunk.com/app/1477/ on the universal forwarders for DC's/Print Servers/etc.
Install https://splunkbase.splunk.com/app/3208/ on UF's, like above, and Indexers, and searchheads.