Hello all,
I am using splunk Enterprise 7.3.1, with the windows apps and the AD add-on for windows AD.
I get no data in the Windows Overview or the AD overview. There is no current data in the wineventlog and no data in the winevents log. I have used the inputs.conf file as mentioned in the splunk documentation here:
docs.splunk.com/Documentation/MSApp/1.5.2/MSInfra/DownloadandconfiguretheSplunkAdd-onforWindowsversion6.0.0orlater
I have inputs.conf files in etc\system\local and app\splunk_TA_windows\local
and wmi.conf file in etc\system\local
What am I missing in the configuration?
Thanks
eholz1
Did you deploy the Windows TA to a Universal Forwarder? Is the UF running as a domain account or LOCAL SYSTEM?
Does the UF send any data at all? Look for the host in index=_internal
.
Skalli
Hello skalliger,
Thanks for the reply. I ended up re-installing the app. And many of the issues are gone now.
I have not yet re-installed the Windows Infrastructure or the Windows app for AD as yet.
We are not using the UF on any of the Windows boxes.
We are using WMI to query the logs. The version of splunk is 7.3.1 and it runs as a domain user (for WMI access), and the user is also in the local users on the splunk server/indexer.
I think that I have discovered the problem as far as the event logs, etc. Currently the machines that are being monitored via WMI are storing their logs in the "default" index. If I decide to re-install the apps - the indexes will have to be changed as appropriate: like "winevents" or "windowslogs" etc.
Thanks Again,
Eholz1