×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
TheCityRich
New Member
Member since: ‎06-14-2021
‎06-18-2021
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-14-2021
Activity Feed
Topics I've Started
View All

Admon duplicating logs

by in Getting Data In
‎06-14-2021 02:03 PM
‎06-14-2021 02:03 PM
Hey everyone, I'm having some small issues with my new Splunk setup in regards to AD logging. I have a few domain controllers that I just setup to receive updates from our Deployment Server (Windows_TA app). My original issue was figuring out how to get admon logs to go to our index=msad rather than the default index=main. I was able to partially fix that issue by modifying the inputs.conf file in the deployment-app. Now the logs are being sent to the correct index=msad. However, admon logs are also still being sent to index=main. We now have admon data duplication between 2 indexes. Does anyone have any ideas on how to get the DC's to stop sending admon logs to index=main? Preferably some configuration i could push from our Deployment Server? This is an example of a stanza in our inputs.conf that is being pushed to the DC's from Deployment Server:   [admon://ADMonitoring] targetDc = DC102 monitorSubtree = 1 baseline = 0 index = msad disabled = false ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-18-2021 05:17 PM