Windows TA- Why are we not seeing any data in Splu...

edwardrose · ‎03-09-2021

Hello All,

I am trying to ingest some Azure data from our DCs. I have the following two stanzas added to our Splunk_TA_windows inputs.conf and we still do not see any data and do not see any errors from any of the hosts that have the Azure data.

[WinEventlog://Microsoft-AzureADPasswordProtection-DCAgent/Admin]
index = wineventlog
disabled = 0
renderXml=true

[WinEventlog://Microsoft-AzureADPasswordProtection-DCAgent/Operational]
index = wineventlog
disabled = 0
renderXml=true

Not sure why we are not seeing any data in Splunk. The AD admin says he sees logs on the host but not in Splunk. So to me it seems that Splunk is not ingesting the data and I am lost as to why.

Thanks

asha_muniraju · ‎06-13-2022

Hi,

did anyone fix this issue?

Thanks

Roy_9 · ‎11-04-2021

Have you checked the firewall rules and a connectivity test?

Did you find anything in your internal logs?

jbanAtSplunk · ‎11-04-2021

Hey, did you find out solution?
I have same issue here?

Windows TA- Why are we not seeing any data in Splunk?

configuration

troubleshooting

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?