I configured a Splunk enterprise indexer to monitor active directory. That worked without issues, it found my domain controllers right away. I also configured the
forwarders conf file properly, but I'm not seeing any data in Splunk.
Netstat shows that the indexer is listening in
9997. Netstat also shows that the domain controller running the forwarder is connected to the indexer in
But still no data. Can someone please help?
Completed. no data still. I'm also seeing this message
Missing or malformed messages.conf stanza for TCPOUT:FORWARDING_BLOCKED__Inderxer IP_default-autolb-group_DC Host Name_10
5/22/2020, 2:00:52 PM
Apologies, I'm new to Splunk. You said to check my index is already created on your Indexer/s. Not sure how to do this can you point me to a document that explains it?
All I have done on the splunk indexer is enable a receiver port of 9997, configure Active Directory monitoring and added my domain controllers to it.
I don't think I have configured what's required on line 3. above (index = your_index_name)
You haven't specified anything in inputs.conf for Splunk to look for. Splunk uses API calls tp monitor these logs, which are in binary format. Adding this stanza in inputs.conf on the UF will help. Please make sure that the Index is already created on your Indexer/s. Also, after pasting this on your inputs.conf, please make sure to restart splunkd on the DC.
[WinEventLog://Security] disabled = 0 index = your_index_name
I'll also suggest you to use a server as a deployment server for the UFs. That way, you can compartmentalize your UFs according to the types of servers on which they are deployed, example: Domain controllers, any app's database, DHCP servers etc. Also, you can change their inputs.conf anytime from the deployment server, rather than going to the servers to make the changes all the time. Will become increasingly difficult, as your environment grows.
Yes. The intent is to bring security events from the domain controllers into splunk. I didn't use a remote deployment, just installed the UF locally on the domain controllers. Configured the output file using as single indexer server setup with the target server IP address on default port 9997. Didn't do anything on the input.conf (see configurations below). There are no firewall restrictions. Netstat shows that the dc is connected to the indexer on 9997
OUPUT.conf on domain controllers with UF
defaultGroup = default-autolb-group
server = x.x.x.x:9997
input.conf on domain controllers with UF
host = DomainController's host name
If you're trying to do the LDAP query to get the data, then I'd suggest to go for this
If you are trying to bring the security/directory services or any other type of logs into Splunk from Domain controllers, then you need to make sure that:
If you can share your inputs and outputs, masking the important details, we can help further.