Getting Data In

Not receiving data from universal forwarders when netstat shows domain controller is connected.

ngct2020
New Member

Hi,

I configured a Splunk enterprise indexer to monitor active directory. That worked without issues, it found my domain controllers right away. I also configured the forwarders conf file properly, but I'm not seeing any data in Splunk.

Netstat shows that the indexer is listening in 9997. Netstat also shows that the domain controller running the forwarder is connected to the indexer in 9997.

But still no data. Can someone please help?

0 Karma

ngct2020
New Member

Completed. no data still. I'm also seeing this message

Missing or malformed messages.conf stanza for TCPOUT:FORWARDING_BLOCKED__Inderxer IP_default-autolb-group_DC Host Name_10
5/22/2020, 2:00:52 PM

0 Karma

ngct2020
New Member

Hi,

Apologies, I'm new to Splunk. You said to check my index is already created on your Indexer/s. Not sure how to do this can you point me to a document that explains it?

All I have done on the splunk indexer is enable a receiver port of 9997, configure Active Directory monitoring and added my domain controllers to it.
I don't think I have configured what's required on line 3. above (index = your_index_name)

0 Karma

shivanshu1593
Builder

You haven't specified anything in inputs.conf for Splunk to look for. Splunk uses API calls tp monitor these logs, which are in binary format. Adding this stanza in inputs.conf on the UF will help. Please make sure that the Index is already created on your Indexer/s. Also, after pasting this on your inputs.conf, please make sure to restart splunkd on the DC.

[WinEventLog://Security]
disabled = 0 
index = your_index_name

I'll also suggest you to use a server as a deployment server for the UFs. That way, you can compartmentalize your UFs according to the types of servers on which they are deployed, example: Domain controllers, any app's database, DHCP servers etc. Also, you can change their inputs.conf anytime from the deployment server, rather than going to the servers to make the changes all the time. Will become increasingly difficult, as your environment grows.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

ngct2020
New Member

I aslo have the add on for AD installed on the DCs hosting the UF

0 Karma

ngct2020
New Member

Hi,

Yes. The intent is to bring security events from the domain controllers into splunk. I didn't use a remote deployment, just installed the UF locally on the domain controllers. Configured the output file using as single indexer server setup with the target server IP address on default port 9997. Didn't do anything on the input.conf (see configurations below). There are no firewall restrictions. Netstat shows that the dc is connected to the indexer on 9997

OUPUT.conf on domain controllers with UF

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = x.x.x.x:9997

[tcpout-server://x.x.x.x:9997]
!
!

input.conf on domain controllers with UF

[default]
host = DomainController's host name
!
!

0 Karma

shivanshu1593
Builder

If you're trying to do the LDAP query to get the data, then I'd suggest to go for this

https://splunkbase.splunk.com/app/3207/

If you are trying to bring the security/directory services or any other type of logs into Splunk from Domain controllers, then you need to make sure that:

  1. Your UF is reporting to your deployment server.
  2. Inputs.conf and outputs.conf are correctly configured and placed in your domain controllers.
  3. There's no firewall restrictions in between (Usually isn't, but you never know)

If you can share your inputs and outputs, masking the important details, we can help further.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...