×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
s72ucor
Explorer
Member since: ‎06-24-2013
‎01-25-2021
Community Statistics
Posts 5
Solutions 1
Karma Given 9
Karma Received 5
Member Since ‎06-24-2013
Activity Feed
Topics I've Started
No posts to display.
View All

Re: Why am I not seeing any Windows security event...

by in Getting Data In
‎11-12-2014 07:34 PM
‎11-12-2014 07:34 PM
s/events/errors/ ... View more

Re: Why am I not seeing any Windows security event...

by in Getting Data In
‎11-12-2014 07:33 PM
2 Karma
‎11-12-2014 07:33 PM
2 Karma
Did you create that index on your Splunk server? That error means that it tried to write to an index that isn't there. Create the index and the events should go away. ... View more

Re: Why am I not seeing any Windows security event...

by in Getting Data In
‎11-12-2014 07:30 PM
1 Karma
‎11-12-2014 07:30 PM
1 Karma
On the UF make sure the Windows app has security event logs enabled in inputs.conf. Check to ensure output.conf is configured to send logs to your Splunk server. On the Splunk server make sure your inputs.conf is configured to listen on 9997 (or your configured port). Make sure indexes.conf is configured with an index for security events. You'll need to create an index called msad unless you've selected another index on the UF. Check splunkd.log for errors. Use netstat to see if the UF is sending/established on TCP 9997 and if the Splunk server is listening on tcp 9997. Even though you said they had a direct connection, make sure the windows firewall isn't blocking outbound ports from the UF and that the Splunk server is not being blocked inbound. Between the conf files, netstat, firewalls, and log files you should see something. Also, try an obligatory UF service restart. Let us know if any of these steps help. ... View more

Re: AD / LDAP Authentication Limit issues

by in Security
‎11-21-2013 07:32 AM
2 Karma
‎11-21-2013 07:32 AM
2 Karma
I've noticed that if I create an AD group for specific access (i.e. users) and then add users to that group I can get this to work; however, I needed to define the group by editing " /etc/syslog/local/authentication.conf" via the CLI. Even if I edit the configuration file and set the limit to 1000+,10000+,100000+,1000000+ it doesn't change the behavior. This makes me think that the issue isn't a LDAP issue, rather a GUI issue. I noticed that even with the limit change the GUI still only shows 1000 entries. Here's what I did to make things work: Configure the "LDAP strategy" via the GUI. Edit /etc/syslog/local/authentication.conf" Under the LDAP definition create your user access similar to the following: [roleMap_LDAPStrategyName] user = LDAPGroupName Restart Splunk Once I created the new AD config and defined the users via the CLI I restarted splunk and all these users that were supposed to have access were imported. In addition I was able to add new users to the AD group and use the GUI "Reload Authentication Configuration" button on under "Manager » Access controls » Authentication method". I know this isn't a GUI solution, but it did solve me problem. I'm using Splunk 5.5 on Linux. ... View more

Re: AD / LDAP Authentication Limit issues

by in Security
‎11-21-2013 06:49 AM
‎11-21-2013 06:49 AM
I have the same issue with or without nested groups enabled. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-25-2021 09:30 PM
Karma from
View All