Installation

Splunk app for Window infrastructure

mysplunkbase
Explorer

I have installed Windows infrastructure app on Splunk search head (which is  a server)

The app requires multiple indexes(msad, perfmon, wineventlog) and all indexes are

receiving data except for msad

 

This is my inputs.conf file

 

 

# Copyright (C) 2019 Splunk Inc. All Rights Reserved.
# DO NOT EDIT THIS FILE!
# Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
# into ../local and edit there.
#



###### OS Logs ######
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
index= wineventlog

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=true
index= wineventlog

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
index= wineventlog


###### Forwarded WinEventLogs (WEF) ######
[WinEventLog://ForwardedEvents]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false.
renderXml=true
host=WinEventLogForwardHost
index= wineventlog


###### WinEventLog Inputs for Active Directory ######

## Application and Services Logs - DFS Replication
[WinEventLog://DFS Replication]
disabled = 0
renderXml=true
index= wineventlog
 
## Application and Services Logs - Directory Service
[WinEventLog://Directory Service]
disabled = 0
renderXml=true
index= wineventlog
 
## Application and Services Logs - File Replication Service
[WinEventLog://File Replication Service]
disabled = 0
renderXml=true
index= wineventlog
 
## Application and Services Logs - Key Management Service
[WinEventLog://Key Management Service]
disabled = 0
renderXml=true
index= wineventlog


###### WinEventLog Inputs for DNS ######
[WinEventLog://DNS Server]
disabled=1
renderXml=true
index= wineventlog


###### DHCP ######
[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
index = windows


###### Windows Update Log ######
## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2
[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
index = windows

## Enable below powershell and monitor stanzas to get WindowsUpdate.log for Windows 10 and Server 2016
## Below stanza will automatically generate WindowsUpdate.log daily
[powershell://generate_windows_update_logs]
script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\generate_windows_update_logs.ps1"
schedule = 0 */24 * * *
disabled = 0
index = windows

## Below stanza will monitor the generated WindowsUpdate.log in Windows 10 and Server 2016
[monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
index = windows


###### Monitor Inputs for Active Directory ######
[monitor://$WINDIR\debug\netlogon.log]
sourcetype=MSAD:NT6:Netlogon
disabled=0
index = msad


###### Monitor Inputs for DNS ######
[MonitorNoHandle://$WINDIR\System32\Dns\dns.log]
sourcetype=MSAD:NT6:DNS
disabled=0
index = msad


###### Scripted Input (See also wmi.conf)
[script://.\bin\win_listening_ports.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:ListeningPorts

[script://.\bin\win_installed_apps.bat]
disabled = 0
## Run once per day
interval = 86400
sourcetype = Script:InstalledApps
index = windows

[script://.\bin\win_timesync_status.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncStatus
index = windows

[script://.\bin\win_timesync_configuration.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncConfiguration
index = windows

[script://.\bin\netsh_address.bat]
disabled = 0
## Run once per day
interval = 86400
sourcetype = Script:NetworkConfiguration
index = windows

###### Scripted/Powershell Mod inputs Active Directory ######

## Replication Information NT6
[script://.\bin\runpowershell.cmd nt6-repl-stat.ps1]
source = Powershell
sourcetype = MSAD:NT6:Replication
interval = 300
disabled = 0
index = msad
 
## Replication Information 2012r2 and 2016
[powershell://Replication-Stats]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-repl-stats.ps1"
schedule = 0 */5 * ? * *
source = Powershell
sourcetype = MSAD:NT6:Replication
disabled = 0
index = msad
 
## Health and Topology Information NT6
[script://.\bin\runpowershell.cmd nt6-health.ps1]
source=Powershell
sourcetype = MSAD:NT6:Health
interval = 300
disabled = 0
index = msad
 
## Health and Topology Information 2012r2 and 2016
[powershell://AD-Health]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1"
schedule = 0 */5 * ? * *
source = Powershell
sourcetype = MSAD:NT6:Health
disabled = 0
index = msad
 
 
## Site, Site Link and Subnet Information NT6
[script://.\bin\runpowershell.cmd nt6-siteinfo.ps1]
source = Powershell
sourcetype = MSAD:NT6:SiteInfo
interval = 3600
disabled = 0
index = msad
 
## Site, Site Link and Subnet Information 2012r2 and 2016
[powershell://Siteinfo]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-siteinfo.ps1"
schedule = 0 15 * ? * *
source = Powershell
sourcetype = MSAD:NT6:SiteInfo
disabled = 0
index = msad


##### Scripted Inputs for DNS #####

## DNS Zone Information Collection
[script://.\bin\runpowershell.cmd dns-zoneinfo.ps1]
source = Powershell
sourcetype = MSAD:NT6:DNS-Zone-Information
interval = 3600
disabled = 0
index = msad
 
## DNS Health Information Collection
[script://.\bin\runpowershell.cmd dns-health.ps1]
source = Powershell
sourcetype = MSAD:NT6:DNS-Health
interval = 3600
disabled = 0
index = msad


###### Host monitoring ######
[WinHostMon://Computer]
interval = 600
disabled = 0
type = Computer
index = windows

[WinHostMon://Process]
interval = 600
disabled = 0
type = Process
index = windows

[WinHostMon://Processor]
interval = 600
disabled = 0
type = Processor
index = windows

[WinHostMon://NetworkAdapter]
interval = 600
disabled = 0
type = NetworkAdapter
index = windows

[WinHostMon://Service]
interval = 600
disabled = 0
type = Service
index = windows

[WinHostMon://OperatingSystem]
interval = 600
disabled = 0
type = OperatingSystem
index = windows

[WinHostMon://Disk]
interval = 600
disabled = 0
type = Disk
index = windows

[WinHostMon://Driver]
interval = 600
disabled = 0
type = Driver
index = windows

[WinHostMon://Roles]
interval = 600
disabled = 0
type = Roles
index = windows

###### Print monitoring ######
[WinPrintMon://printer]
type = printer
interval = 600
baseline = 1
disabled = 0
index = windows

[WinPrintMon://driver]
type = driver
interval = 600
baseline = 1
disabled = 0
index = windows

[WinPrintMon://port]
type = port
interval = 600
baseline = 1
disabled = 0
index = windows

###### Network monitoring ######
[WinNetMon://inbound]
direction = inbound
disabled = 0
index = windows

[WinNetMon://outbound]
direction = outbound
disabled = 0
index = windows

###### Splunk 5.0+ Performance Counters ######
## CPU
[perfmon://CPU]
disabled = 0
instances = *
interval = 10
mode = single
object = Processor
useEnglishOnly=true
index = perfmon

## Logical Disk
[perfmon://LogicalDisk]
disabled = 0
instances = *
interval = 10
mode = single
object = LogicalDisk
useEnglishOnly=true
index = perfmon

## Physical Disk
[perfmon://PhysicalDisk]
disabled = 0
instances = *
interval = 10
mode = single
object = PhysicalDisk
useEnglishOnly=true
index = perfmon

## Memory
[perfmon://Memory]
disabled = 0
interval = 10
mode = single
object = Memory
useEnglishOnly=true
index = perfmon

## Network
[perfmon://Network]
disabled = 0
instances = *
interval = 10
mode = single
object = Network Interface
useEnglishOnly=true
index = perfmon

## Process
[perfmon://Process]
disabled = 0
instances = *
interval = 10
mode = single
object = Process
useEnglishOnly = true
index = perfmon

## ProcessInformation
[perfmon://ProcessorInformation]
counters = % Processor Time; Processor Frequency
disabled = 0
instances = *
interval = 10
mode = single
object = Processor Information
useEnglishOnly = true
index = perfmon

## System
[perfmon://System]
disabled = 0
instances = *
interval = 10
mode = single
object = System
useEnglishOnly = true
index = perfmon


###### Perfmon Inputs from TA-AD/TA-DNS ######
[perfmon://Processor]
instances = *
interval = 10
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon
 
[perfmon://Network_Interface]
object = Network Interface
instances = *
interval = 10
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon
 
[perfmon://DFS_Replicated_Folders]
object = DFS Replicated Folders
instances = *
interval = 30
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon
 
[perfmon://NTDS]
object = NTDS 
interval = 10
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon

[perfmon://DNS]
object = DNS
counters = Total Query Received; Total Query Received/sec; UDP Query 
interval = 10
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon


[admon://default]
disabled = 0
monitorSubtree = 1
index = perfmon


[WinRegMon://default]
disabled = 0
hive = .*
proc = .*
type = rename|set|delete|create
index = perfmon

[WinRegMon://hkcu_run]
disabled = 0
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = perfmon

[WinRegMon://hklm_run]
disabled = 0
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = perfmon

 

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thank you for sharing.  Do you have a question?

---
If this reply helps you, Karma would be appreciated.

mysplunkbase
Explorer

My question is: how do I get the msad  index to receive data?

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...