Dears,
We are running the following versions of Splunk and supporting apps for Windows infrastructure:
Splunk Enterprise: 7.2.3
Splunk App for Windows Infrastructure(splunk_app_windows_infrastructure): 1.5.1
Splunk Add-on for Microsoft Windows(Splunk_TA_windows): 4.8.4
Splunk Add-on for Microsoft Windows DNS(Splunk_TA_microsoft_dns): 1.0.1
Splunk Add-on for Microsoft Active Directory(Splunk_TA_microsoft_ad): 1.0.0
Splunk Supporting Add-on for Active Directory(SA-ldapsearch): 2.2.0
Splunk Add-on for PowerShell(SA-ModularInput-PowerShell): 1.2.1
Rhel OS: 7.3
The Splunk App for Windows Infrastructure does not Show me any User, Computer, or Group entry.
Also the Guided Setup says "users not found", "Computers not found" and "Groups not found"
All Dashboards related to them don't display any thing
On the Windows AD Domain Controller the following apps are installed:
Splunk App for Windows Infrastructure(splunk_app_windows_infrastructure): 1.5.1
Splunk Add-on for Microsoft Windows(Splunk_TA_windows): 4.8.4
Splunk Add-on for Microsoft Windows DNS(Splunk_TA_microsoft_dns): 1.0.1
Splunk Add-on for Microsoft Active Directory(Splunk_TA_microsoft_ad): 1.0.0
Splunk Add-on for PowerShell(SA-ModularInput-PowerShell): 1.2.1
sendtoindexer
TA-DomainController-NT6
TA-DNSServer-NT6
please can someone help me to figure out why I can't get data?
I was having this issue and just recently resolved it.
I troubleshot this by searching for
|eventtype=msad-successful-user-logons|
which returned no results. Further investigation revealed that no eventlog:security items were being indexed.
I searched
|eventtype=msad-dc-health |
which is generated on the universal forwarder from powershell scripts enabled in inputs.conf. This returned current data normally.
I determined that the UF was configured correctly and was sending data, which was being received and stored in the correct index, and that active directory audit data was not being generated.
I resolved the issue by manually configuring a new set of audit GPs, applying it to my domain controller OU, and setting the "enforced" attribute in GPMC.
Just to clarify, I needed to configure Advanced Audit Configuration in GP, including:
Audit Computer Account Management Success, Failure
Audit Distribution Group Management Success, Failure
Audit Security Group Management Success, Failure
Audit User Account Management Success, Failure
Audit Directory Service Access Success, Failure
Audit Directory Service Changes Success, Failure