I have installed Windows infrastructure app on Splunk search head (which is a server) The app requires multiple indexes(msad, perfmon, wineventlog) and all indexes are receiving data except for msad This is my inputs.conf file # Copyright (C) 2019 Splunk Inc. All Rights Reserved.
# DO NOT EDIT THIS FILE!
# Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
# into ../local and edit there.
#
###### OS Logs ######
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
index= wineventlog
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=true
index= wineventlog
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
index= wineventlog
###### Forwarded WinEventLogs (WEF) ######
[WinEventLog://ForwardedEvents]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false.
renderXml=true
host=WinEventLogForwardHost
index= wineventlog
###### WinEventLog Inputs for Active Directory ######
## Application and Services Logs - DFS Replication
[WinEventLog://DFS Replication]
disabled = 0
renderXml=true
index= wineventlog
## Application and Services Logs - Directory Service
[WinEventLog://Directory Service]
disabled = 0
renderXml=true
index= wineventlog
## Application and Services Logs - File Replication Service
[WinEventLog://File Replication Service]
disabled = 0
renderXml=true
index= wineventlog
## Application and Services Logs - Key Management Service
[WinEventLog://Key Management Service]
disabled = 0
renderXml=true
index= wineventlog
###### WinEventLog Inputs for DNS ######
[WinEventLog://DNS Server]
disabled=1
renderXml=true
index= wineventlog
###### DHCP ######
[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
index = windows
###### Windows Update Log ######
## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2
[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
index = windows
## Enable below powershell and monitor stanzas to get WindowsUpdate.log for Windows 10 and Server 2016
## Below stanza will automatically generate WindowsUpdate.log daily
[powershell://generate_windows_update_logs]
script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\generate_windows_update_logs.ps1"
schedule = 0 */24 * * *
disabled = 0
index = windows
## Below stanza will monitor the generated WindowsUpdate.log in Windows 10 and Server 2016
[monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
index = windows
###### Monitor Inputs for Active Directory ######
[monitor://$WINDIR\debug\netlogon.log]
sourcetype=MSAD:NT6:Netlogon
disabled=0
index = msad
###### Monitor Inputs for DNS ######
[MonitorNoHandle://$WINDIR\System32\Dns\dns.log]
sourcetype=MSAD:NT6:DNS
disabled=0
index = msad
###### Scripted Input (See also wmi.conf)
[script://.\bin\win_listening_ports.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:ListeningPorts
[script://.\bin\win_installed_apps.bat]
disabled = 0
## Run once per day
interval = 86400
sourcetype = Script:InstalledApps
index = windows
[script://.\bin\win_timesync_status.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncStatus
index = windows
[script://.\bin\win_timesync_configuration.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncConfiguration
index = windows
[script://.\bin\netsh_address.bat]
disabled = 0
## Run once per day
interval = 86400
sourcetype = Script:NetworkConfiguration
index = windows
###### Scripted/Powershell Mod inputs Active Directory ######
## Replication Information NT6
[script://.\bin\runpowershell.cmd nt6-repl-stat.ps1]
source = Powershell
sourcetype = MSAD:NT6:Replication
interval = 300
disabled = 0
index = msad
## Replication Information 2012r2 and 2016
[powershell://Replication-Stats]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-repl-stats.ps1"
schedule = 0 */5 * ? * *
source = Powershell
sourcetype = MSAD:NT6:Replication
disabled = 0
index = msad
## Health and Topology Information NT6
[script://.\bin\runpowershell.cmd nt6-health.ps1]
source=Powershell
sourcetype = MSAD:NT6:Health
interval = 300
disabled = 0
index = msad
## Health and Topology Information 2012r2 and 2016
[powershell://AD-Health]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1"
schedule = 0 */5 * ? * *
source = Powershell
sourcetype = MSAD:NT6:Health
disabled = 0
index = msad
## Site, Site Link and Subnet Information NT6
[script://.\bin\runpowershell.cmd nt6-siteinfo.ps1]
source = Powershell
sourcetype = MSAD:NT6:SiteInfo
interval = 3600
disabled = 0
index = msad
## Site, Site Link and Subnet Information 2012r2 and 2016
[powershell://Siteinfo]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-siteinfo.ps1"
schedule = 0 15 * ? * *
source = Powershell
sourcetype = MSAD:NT6:SiteInfo
disabled = 0
index = msad
##### Scripted Inputs for DNS #####
## DNS Zone Information Collection
[script://.\bin\runpowershell.cmd dns-zoneinfo.ps1]
source = Powershell
sourcetype = MSAD:NT6:DNS-Zone-Information
interval = 3600
disabled = 0
index = msad
## DNS Health Information Collection
[script://.\bin\runpowershell.cmd dns-health.ps1]
source = Powershell
sourcetype = MSAD:NT6:DNS-Health
interval = 3600
disabled = 0
index = msad
###### Host monitoring ######
[WinHostMon://Computer]
interval = 600
disabled = 0
type = Computer
index = windows
[WinHostMon://Process]
interval = 600
disabled = 0
type = Process
index = windows
[WinHostMon://Processor]
interval = 600
disabled = 0
type = Processor
index = windows
[WinHostMon://NetworkAdapter]
interval = 600
disabled = 0
type = NetworkAdapter
index = windows
[WinHostMon://Service]
interval = 600
disabled = 0
type = Service
index = windows
[WinHostMon://OperatingSystem]
interval = 600
disabled = 0
type = OperatingSystem
index = windows
[WinHostMon://Disk]
interval = 600
disabled = 0
type = Disk
index = windows
[WinHostMon://Driver]
interval = 600
disabled = 0
type = Driver
index = windows
[WinHostMon://Roles]
interval = 600
disabled = 0
type = Roles
index = windows
###### Print monitoring ######
[WinPrintMon://printer]
type = printer
interval = 600
baseline = 1
disabled = 0
index = windows
[WinPrintMon://driver]
type = driver
interval = 600
baseline = 1
disabled = 0
index = windows
[WinPrintMon://port]
type = port
interval = 600
baseline = 1
disabled = 0
index = windows
###### Network monitoring ######
[WinNetMon://inbound]
direction = inbound
disabled = 0
index = windows
[WinNetMon://outbound]
direction = outbound
disabled = 0
index = windows
###### Splunk 5.0+ Performance Counters ######
## CPU
[perfmon://CPU]
disabled = 0
instances = *
interval = 10
mode = single
object = Processor
useEnglishOnly=true
index = perfmon
## Logical Disk
[perfmon://LogicalDisk]
disabled = 0
instances = *
interval = 10
mode = single
object = LogicalDisk
useEnglishOnly=true
index = perfmon
## Physical Disk
[perfmon://PhysicalDisk]
disabled = 0
instances = *
interval = 10
mode = single
object = PhysicalDisk
useEnglishOnly=true
index = perfmon
## Memory
[perfmon://Memory]
disabled = 0
interval = 10
mode = single
object = Memory
useEnglishOnly=true
index = perfmon
## Network
[perfmon://Network]
disabled = 0
instances = *
interval = 10
mode = single
object = Network Interface
useEnglishOnly=true
index = perfmon
## Process
[perfmon://Process]
disabled = 0
instances = *
interval = 10
mode = single
object = Process
useEnglishOnly = true
index = perfmon
## ProcessInformation
[perfmon://ProcessorInformation]
counters = % Processor Time; Processor Frequency
disabled = 0
instances = *
interval = 10
mode = single
object = Processor Information
useEnglishOnly = true
index = perfmon
## System
[perfmon://System]
disabled = 0
instances = *
interval = 10
mode = single
object = System
useEnglishOnly = true
index = perfmon
###### Perfmon Inputs from TA-AD/TA-DNS ######
[perfmon://Processor]
instances = *
interval = 10
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon
[perfmon://Network_Interface]
object = Network Interface
instances = *
interval = 10
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon
[perfmon://DFS_Replicated_Folders]
object = DFS Replicated Folders
instances = *
interval = 30
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon
[perfmon://NTDS]
object = NTDS
interval = 10
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon
[perfmon://DNS]
object = DNS
counters = Total Query Received; Total Query Received/sec; UDP Query
interval = 10
disabled = 0
mode = single
useEnglishOnly = true
index = perfmon
[admon://default]
disabled = 0
monitorSubtree = 1
index = perfmon
[WinRegMon://default]
disabled = 0
hive = .*
proc = .*
type = rename|set|delete|create
index = perfmon
[WinRegMon://hkcu_run]
disabled = 0
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = perfmon
[WinRegMon://hklm_run]
disabled = 0
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = perfmon
... View more