All Apps and Add-ons

Why did MS Windows AD Objects fail to build lookups?

Roger
Loves-to-Learn Lots

Hello,

I am evaluating the Splunk Enterprise on our environment and I have setup a on-premises server for that. Currently I am trying to configure the MS Windows AD Objects apps on splunk. The procedures have been carefully followed. However, it is failed on the last step - building lookups.

When the process was trying to build AD_Obj_Admin_Audit lookup, the below error was reported:

Warning: No Windows Change Events Found - Change Time Period

Due to the error, the setup cannot be completed. I have changed the time period up to 5 years but still no luck.

It would be appreciated if you could help us to troubleshoot the issue.

Thanks

0 Karma

splunk_31
New Member

I had the same issue, I found that it was Active Directory auditing was not properly configured on the DC. I did not get too in-depth with the troubleshooting; however, I configured the following for success and failure. This allowed the query to run. 

  • DS Access
  • Privilege Use
  • Audit directory service access
  • Audit policy change
  • Audit privilege use
  • Audit system events

 

Hope this helps.

Tags (1)
0 Karma

sconnors
Engager

I ran into thet same problem. I use custom index names, and multiple indexes for various collection purposes, I listed the indexes thus within the macro searches:

  index=first_winindex
  index=second_winindex
      etc

This was incorrect. I need to use Boolean OR between indexes

  index=first_winindex OR  index=second_winindex OR ...etc

Now it builds the AD_Obj_Admin_Audit lookup. It does take a while to build however.

Good luck!

0 Karma

Roger
Loves-to-Learn Lots

Hello,

Thanks for your reply! However, since we didn't use custom index names, the macro should be no need to change.

Regards,

0 Karma

sconnors
Engager

Understood. The second point I was making was the setting of macro definitions in the previous screen. One screen back from the build screen is where macros are shown that require indexes. One of these is  ms__obj_win_events_index.

Update this macro definition like so (assuming default index names):
    index=WinEvtSec OR index=Windows

Perhaps this will help.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...