I am using Splunk app for LOGbinder to display AD Changes in Splunk. All events are getting collected in the Event viewer correctly. But when I search index=main in Splunk, I see "Message=Microsoft Windows security auditing" to all events. Can you help me with this please?
Not sure of this Splunk app for LogBinder, .. but, maybe, you can check this post:
https://community.splunk.com/t5/Splunk-Enterprise/No-results-found-in-the-ADChanges/m-p/512380
installation steps(maybe, you can cross verify your installation steps)