Getting Data In

Not receiving data from universal forwarders when netstat shows domain controller is connected.

ngct2020
New Member

Hi,

I configured a Splunk enterprise indexer to monitor active directory. That worked without issues, it found my domain controllers right away. I also configured the forwarders conf file properly, but I'm not seeing any data in Splunk.

Netstat shows that the indexer is listening in 9997. Netstat also shows that the domain controller running the forwarder is connected to the indexer in 9997.

But still no data. Can someone please help?

0 Karma

ngct2020
New Member

Completed. no data still. I'm also seeing this message

Missing or malformed messages.conf stanza for TCPOUT:FORWARDING_BLOCKED__Inderxer IP_default-autolb-group_DC Host Name_10
5/22/2020, 2:00:52 PM

0 Karma

ngct2020
New Member

Hi,

Apologies, I'm new to Splunk. You said to check my index is already created on your Indexer/s. Not sure how to do this can you point me to a document that explains it?

All I have done on the splunk indexer is enable a receiver port of 9997, configure Active Directory monitoring and added my domain controllers to it.
I don't think I have configured what's required on line 3. above (index = your_index_name)

0 Karma

shivanshu1593
Contributor

You haven't specified anything in inputs.conf for Splunk to look for. Splunk uses API calls tp monitor these logs, which are in binary format. Adding this stanza in inputs.conf on the UF will help. Please make sure that the Index is already created on your Indexer/s. Also, after pasting this on your inputs.conf, please make sure to restart splunkd on the DC.

[WinEventLog://Security]
disabled = 0 
index = your_index_name

I'll also suggest you to use a server as a deployment server for the UFs. That way, you can compartmentalize your UFs according to the types of servers on which they are deployed, example: Domain controllers, any app's database, DHCP servers etc. Also, you can change their inputs.conf anytime from the deployment server, rather than going to the servers to make the changes all the time. Will become increasingly difficult, as your environment grows.

0 Karma

ngct2020
New Member

I aslo have the add on for AD installed on the DCs hosting the UF

0 Karma

ngct2020
New Member

Hi,

Yes. The intent is to bring security events from the domain controllers into splunk. I didn't use a remote deployment, just installed the UF locally on the domain controllers. Configured the output file using as single indexer server setup with the target server IP address on default port 9997. Didn't do anything on the input.conf (see configurations below). There are no firewall restrictions. Netstat shows that the dc is connected to the indexer on 9997

OUPUT.conf on domain controllers with UF

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = x.x.x.x:9997

[tcpout-server://x.x.x.x:9997]
!
!

input.conf on domain controllers with UF

[default]
host = DomainController's host name
!
!

0 Karma

shivanshu1593
Contributor

If you're trying to do the LDAP query to get the data, then I'd suggest to go for this

https://splunkbase.splunk.com/app/3207/

If you are trying to bring the security/directory services or any other type of logs into Splunk from Domain controllers, then you need to make sure that:

  1. Your UF is reporting to your deployment server.
  2. Inputs.conf and outputs.conf are correctly configured and placed in your domain controllers.
  3. There's no firewall restrictions in between (Usually isn't, but you never know)

If you can share your inputs and outputs, masking the important details, we can help further.

0 Karma

Tune In & Win!

Don't miss out on your
chance to take home free
prizes by helping our players
save the Splunk Cloudom!

Dungeons & Data
Monsters: Splunk O11y
Day Editions Games
stream live:
5/4 at 6:30pm PST
5/5 at 7:00pm PST
on