Installation

Splunk app for Window infrastructure

mysplunkbase
Explorer

I have installed Windows infrastructure app on Splunk search head (which is  a server)

The app requires multiple indexes(msad, perfmon, wineventlog) and all indexes are

receiving data except for msad

 

This is my inputs.conf file

 

 

# Copyright (C) 2019 Splunk Inc. All Rights Reserved.
# DO NOT EDIT THIS FILE!
# Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
# into ../local and edit there.
#



###### OS Logs ######
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
index= wineventlog

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=true
index= wineventlog

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
index= wineventlog


###### Forwarded WinEventLogs (WEF) ######
[WinEventLog://ForwardedEvents]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false.
renderXml=true
host=WinEventLogForwardHost
index= wineventlog


###### WinEventLog Inputs for Active Directory ######

## Application and Services Logs - DFS Replication
[WinEventLog://DFS Replication]
disabled = 0
renderXml=true
index= wineventlog
 
## Application and Services Logs - Directory Service
[WinEventLog://Directory Service]
disabled = 0
renderXml=true
index= wineventlog
 
## Application and Services Logs - File Replication Service
[WinEventLog://File Replication Service]
disabled = 0
renderXml=true
index= wineventlog
 
## Application and Services Logs - Key Management Service
[WinEventLog://Key Management Service]
disabled = 0
renderXml=true
index= wineventlog


###### WinEventLog Inputs for DNS ######
[WinEventLog://DNS Server]
disabled=1
renderXml=true
index= wineventlog


###### DHCP ######
[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
index = windows


###### Windows Update Log ######
## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2
[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
index = windows

## Enable below powershell and monitor stanzas to get WindowsUpdate.log for Windows 10 and Server 2016
## Below stanza will automatically generate WindowsUpdate.log daily
[powershell://generate_windows_update_logs]
script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\generate_windows_update_logs.ps1"
schedule = 0 */24 * * *
disabled = 0
index = windows

## Below stanza will monitor the generated WindowsUpdate.log in Windows 10 and Server 2016
[monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
index = windows


###### Monitor Inputs for Active Directory ######
[monitor://$WINDIR\debug\netlogon.log]
sourcetype=MSAD:NT6:Netlogon
disabled=0
index = msad


###### Monitor Inputs for DNS ######
[MonitorNoHandle://$WINDIR\System32\Dns\dns.log]
sourcetype=MSAD:NT6:DNS
disabled=0
index = msad


###### Scripted Input (See also wmi.conf)
[script://.\bin\win_listening_ports.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:ListeningPorts

[script://.\bin\win_installed_apps.bat]
disabled = 0
## Run once per day
interval = 86400
sourcetype = Script:InstalledApps
index = windows

[script://.\bin\win_timesync_status.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncStatus
index = windows

[script://.\bin\win_timesync_configuration.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncConfiguration
index = windows

[script://.\bin\netsh_address.bat]
disabled = 0
## Run once per day
interval = 86400
sourcetype = Script:NetworkConfiguration
index = windows

###### Scripted/Powershell Mod inputs Active Directory ######

## Replication Information NT6
[script://.\bin\runpowershell.cmd nt6-repl-stat.ps1]
source = Powershell
sourcetype = MSAD:NT6:Replication
interval = 300
disabled = 0
index = msad
 
## Replication Information 2012r2 and 2016
[powershell://Replication-Stats]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-repl-stats.ps1"
schedule = 0 */5 * ? * *
source = Powershell
sourcetype = MSAD:NT6:Replication
disabled = 0
index = msad
 
## Health and Topology Information NT6
[script://.\bin\runpowershell.cmd nt6-health.ps1]
source=Powershell
sourcetype = MSAD:NT6:Health
interval = 300
disabled = 0
index = msad
 
## Health and Topology Information 2012r2 and 2016
[powershell://AD-Health]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1"
schedule = 0 */5 * ? * *
source = Powershell
sourcetype = MSAD:NT6:Health
disabled = 0
index = msad
 
 
## Site, Site Link and Subnet Information NT6
[script://.\bin\runpowershell.cmd nt6-siteinfo.ps1]
source = Powershell
sourcetype = MSAD:NT6:SiteInfo
interval = 3600
disabled = 0
index = msad
 
## Site, Site Link and Subnet Information 2012r2 and 2016
[powershell://Siteinfo]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-siteinfo.ps1"
schedule = 0 15 * ? * *
source = Powershell
sourcetype = MSAD:NT6:SiteInfo
disabled = 0
index = msad


##### Scripted Inputs for DNS #####

## DNS Zone Information Collection
[script://.\bin\runpowershell.cmd dns-zoneinfo.ps1]
source = Powershell
sourcetype = MSAD:NT6:DNS-Zone-Information
interval = 3600
disabled = 0
index = msad
 
## DNS Health Information Collection
[script://.\bin\runpowershell.cmd dns-health.ps1]
source = Powershell
sourcetype = MSAD:NT6:DNS-Health
interval = 3600
disabled = 0
index = msad


###### Host monitoring ######
[WinHostMon://Computer]
interval = 600
disabled = 0
type = Computer
index = windows

[WinHostMon://Process]
interval = 600
disabled = 0
type = Process
index = windows

[WinHostMon://Processor]
interval = 600
disabled = 0
type = Processor
index = windows

[WinHostMon://NetworkAdapter]
interval = 600
disabled = 0
type = NetworkAdapter
index = windows

[WinHostMon://Service]
interval = 600
disabled = 0
type = Service
index = windows

[WinHostMon://OperatingSystem]
interval = 600
disabled = 0
type = OperatingSystem
index = windows

[WinHostMon://Disk]
interval = 600
disabled = 0
type = Disk
index = windows

[WinHostMon://Driver]
interval = 600
disabled = 0
type = Driver
index = windows

[WinHostMon://Roles]
interval = 600
disabled = 0
type = Roles
index = windows

###### Print monitoring ######
[WinPrintMon://printer]
type = printer
interval = 600
baseline = 1
disabled = 0
index = windows

[WinPrintMon://driver]
type = driver
interval = 600
baseline = 1
disabled = 0
index = windows

[WinPrintMon://port]
type = port
interval = 600
baseline = 1
disabled = 0
index = windows

###### Network monitoring ######
[WinNetMon://inbound]
direction = inbound
disabled = 0
index = windows

[WinNetMon://outbound]
direction = outbound
disabled = 0
index = windows

###### Splunk 5.0+ Performance Counters ######
## CPU
[perfmon://CPU]
disabled = 0
instances = *
interval = 10
mode = single
object = Processor
useEnglishOnly=true
index = perfmon

## Logical Disk
[perfmon://LogicalDisk]
disabled = 0
instances = *
interval = 10
mode = single
object = LogicalDisk
useEnglishOnly=true
index = perfmon

## Physical Disk
[perfmon://PhysicalDisk]
disabled = 0
instances = *
interval = 10
mode = single
object = PhysicalDisk
useEnglishOnly=true
index = perfmon

## Memory
[perfmon://Memory]
disabled = 0
interval = 10
mode = single
object = Memory
useEnglishOnly=true
index = perfmon

## Network
[perfmon://Network]
disabled = 0
instances = *
interval = 10
mode = single
object = Network Interface
useEnglishOnly=true
index = perfmon

## Process
[perfmon://Process]
disabled = 0
instances = *
interval = 10
mode = single
object = Process
useEnglishOnly = true
index = perfmon

## ProcessInformation
[perfmon://ProcessorInformation]
counters = % Processor Time; Processor Frequency
disabled = 0
instances = *
interval = 10
mode = single
object = Processor Information
useEnglishOnly = true
index = perfmon

## System
[perfmon://System]
disabled = 0
instances = *
interval = 10
mode = single
object = System
useEnglishOnly = true
index = perfmon


###### Perfmon Inputs from TA-AD/TA-DNS ######
[perfmon://Processor]
instances = *
interval = 10
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon
 
[perfmon://Network_Interface]
object = Network Interface
instances = *
interval = 10
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon
 
[perfmon://DFS_Replicated_Folders]
object = DFS Replicated Folders
instances = *
interval = 30
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon
 
[perfmon://NTDS]
object = NTDS 
interval = 10
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon

[perfmon://DNS]
object = DNS
counters = Total Query Received; Total Query Received/sec; UDP Query 
interval = 10
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon


[admon://default]
disabled = 0
monitorSubtree = 1
index = perfmon


[WinRegMon://default]
disabled = 0
hive = .*
proc = .*
type = rename|set|delete|create
index = perfmon

[WinRegMon://hkcu_run]
disabled = 0
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = perfmon

[WinRegMon://hklm_run]
disabled = 0
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = perfmon

 

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thank you for sharing.  Do you have a question?

---
If this reply helps you, Karma would be appreciated.

mysplunkbase
Explorer

My question is: how do I get the msad  index to receive data?

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...