Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Problems to collect data from Domain Controller (Active Directory)

jcrival
New Member
‎09-14-2014 09:49 AM

Hi Guys,

I have configured Splunk App for Windows Infraestructure on my Splunk Indexer. I also installed splunkforwarders on the remote servers and on the Domain Controller (Windows 2008 R2). I also copied the addons but i am not able to display the Domain Controller´s event logs (applications, system and security)

The splunkd.log I got this error

9-13-2014 18:14:19.519 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::configure: Failed to find Event Log with channel name='File Replication Service'
09-13-2014 18:14:19.519 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - Processing: 'blacklist1', failed to find delimeter '4' in regex '4662 Message="Object Type:\s+(?!groupPolicyContainer)"' for key 'EventCode '. Discarding.
09-13-2014 18:14:19.519 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - Processing: 'blacklist2', failed to find delimeter '5' in regex '566 Message="Object Type:\s+(?!groupPolicyContainer)"' for key 'EventCode '. Discarding.

Could you please help me out with the correct configuration

Regards,

Jose C. Rivera

Tags (3)
0 Karma
Reply

michaelstillmun
Explorer
‎06-28-2016 10:32 AM

When you see an WinEventMon:: error stating it is unable to find the Log with channel name="foo" often means the the Event Log Name is named differently then what is configured in your forwarder's inputs.conf stanza.

Also the "File Replication Service" is considered a non-default Windows event log. You must import them to the Windows Event Viewer.

After you import the log, you can add them to your forwarder's local copy of inputs.conf, as follows:

[WinEventLog://File Replication Service]
disabled = 0

This may fix both problems, if not double-check your Regex statement for accuracy.

A issue I had was I needed to monitor workstation cdrom usage. For my forwarder's inputs.conf is was using the following stanza:

[WinEventLog://Microsoft-Windows-CDROM]
disabled = 0

But if you take a look at the logs using poweshell: Get-WinEvent -ListProvider cdrom you see:

PS C:\> Get-WinEvent -ListProvider cdrom

Name     : cdrom
LogLinks : {System}
Opcodes  : {}
Tasks    : {}

Name     : Microsoft-Windows-CDROM
LogLinks : {Microsoft-Windows-CDROM/Operational}
Opcodes  : {win:Info}
Tasks    : {CDROM_DRIVER}

Looking at the LogLinks, I see I needed to use the System log and proper event codes. Changed my stanza to reflect looking at the system log and to blacklist all but the code i wanted:

[WinEventLog://System]
disabled=0
blacklist1= 0-112,114-99999

Regards,
Michael Stillmunks

0 Karma
Reply

jcrival
New Member
‎09-15-2014 06:59 AM

Hi Mario
Here the versions:

  • Splunk forwarder on Domain Controller: splunkforwarder-6.1.3-220630-x64-release.msi
  • Splunk Indexer (Windows 7): Splunk 6.1.2 (build 213098)
  • Splunk App for Windows Infrastructure: splunk-app-for-windows-infrastructure_103
  • Splunk addon for microsoft: splunk-add-on-for-microsoft-windows_471

Regards,

Jose Carlos

0 Karma
Reply

MarioM
Motivator
‎09-15-2014 05:15 AM

Can you give the versions of : Splunk App for Windows Infraestructure,Splunk Indexer,splunkforwarders?

0 Karma
Reply

michaelstillmun
Explorer
‎06-28-2016 09:51 AM

Jose,

When you see an WinEventMon:: error stating it is unable to find the Log with channel name="foo" often means the the Event Log Name is named differently then what is configured in your forwarder's inputs.conf stanza.

Also the "File Replication Service" is considered a non-default Windows event log. You must import them to the Windows Event Viewer.

After you import the log, you can add them to your forwarder's local copy of inputs.conf, as follows:

[WinEventLog://File Replication Service]
disabled = 0

Regards,
Michael Stillmunks

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...