Hi I'm using Splunk app for Active Directory, i've installed and configured it to make it run. I receive data regarding the CPU/RAM monitoring, general info, etc ... in the 3 index msad, perform & winevents. Unfortunately, i don't receive any information regarding the DC status/helth. I see it's due to the search "index=msad source=powershell", i'd never indexed data with the field source=powershell in the msad index (only index=msad source=ActiveDirectory). How could i check where the problem come from ? The script doesn't work ? Isn't executed ? something else ? The GPO making run the PS script on my DCs is enabled. I use 1 splunk server with 2 Win 2012 DCs. Some help would be fine 🙂 Thanks ! ... View more

Hello I'm having an issue with Splunk app for Active Directory All the data are index to the main index, that make the app unsable as it search into the index msad, perform and winevents. I've installed Windows TA on the Windows servers and the Splunk instance side. I've used the latest version downloaded here http://splunk-base.splunk.com/apps/28933/splunk-for-windows-technology-add-on On the windows servers monitored : C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows On the servers side /opt/splunk/etc/apps/Splunk_for_ActiveDirectory/appserver/addons/TA-DomainController-NT6/local With the inputs.conffile like this : [WinEventLog:DFS Replication] disabled=0 sourcetype="WinEventLog:DFS Replication" index=winevents queue=parsingQueue # # Application and Services Logs - Directory Service # [WinEventLog:Directory Service] disabled=0 sourcetype="WinEventLog:Directory Service" index=winevents queue=parsingQueue # # Application and Services Logs - File Replication Service # [WinEventLog:File Replication Service] disabled=0 sourcetype="WinEventLog:File Replication Service" index=winevents queue=parsingQueue # # Application and Services Logs - Key Management Service # [WinEventLog:Key Management Service] disabled=0 sourcetype="WinEventLog:Key Management Service" index=winevents queue=parsingQueue # # Collect Replication Information # [script://.\bin\runpowershell.cmd ad-repl-stat.ps1] source=Powershell sourcetype=MSAD:NT6:Replication interval=300 index=msad disabled=false # # Collect Health and Topology Information # [script://.\bin\runpowershell.cmd ad-health.ps1] source=Powershell sourcetype=MSAD:NT6:Health interval=300 index=msad disabled=false # # Collect Site, Site Link and Subnet Information # [script://.\bin\runpowershell.cmd siteinfo.ps1] source=Powershell sourcetype=MSAD:NT6:SiteInfo interval=3600 index=msad disabled=false # # Perfmon Collection # [perfmon://Processor] object = Processor counters = * instances = * interval = 10 disabled = 0 index=perfmon [perfmon://Memory] object = Memory counters = * interval = 10 disabled = 0 index=perfmon [perfmon://Network_Interface] object = Network Interface counters = * instances = * interval = 10 disabled = 0 index=perfmon [perfmon://DFS_Replicated_Folders] object = DFS Replicated Folders counters = * instances = * interval = 30 disabled = 0 index=perfmon [perfmon://NTDS] object = NTDS counters = * interval = 10 disabled = 0 index=perfmon # # ADMon Collection # [script://$SPLUNK_HOME\bin\scripts\splunk-admon.path] interval=3600 disabled=false index=msad # # Subnet Affinity Log # [monitor://C:\Windows\debug\netlogon.log] sourcetype=MSAD:NT6:Netlogon disabled=false index=msad I got data from the execution of the scripts as i find these sourcetypes into the main index : - WinEventLog:Security - WinEventLog:System - fs_notification - WinEventLog:Application - ActiveDirectory - WinEventLog:Setup I guess i've followed all the steps to install and configure the app by following this tutorial but it seems i've done something wrong ... http://docs.splunk.com/Documentation/ActiveDirectory/latest/DeployAD/Deploymentprocess I've already looked for my mistake but without success Could someone help me to troubleshoot this ? Thanks. ... View more

Hello, I would like to know if that possible to configure on a single splunk fowarder, 2 distincts inputs and outputs. In a concrete way, i would to receive the inputs logs coming from : UDP:10001 and send them to TCP:10001 in output UDP:10002 and send them to TCP:10002 in output The only configuration i see, is centralizing the logs in a single point from the inputs, and send them to the outputs. I want 2 distincts flow is it possible ? It should look like this Thanks ! ... View more

Hello, I'm consulting the documentation regarding filtering events before they get indexed but i have issue to understand how i could do that. I got events coming from 1 IP, and i don't want to index the events where the field "risk_rating" is lower than 75. i really don't know how to do that with props.conf and transforms.conf Props.conf [host::10.6.75.16] TRANSFORMS-null= setnull Tranforms.conf [setnull] REGEX=???? /did i have to use this field/ DEST_KEY=queue FORMAT=nullQueue How could i say all the values under 75 for the field "risk_rating" isn't indexed under the transforms file ? It seems quit simple but i really don't get it ... Thanks. ... View more

Hello I search could i move sepcific data from an index called index1 to another one called index2. Let's say i have all this kind of events in my index 1 : Events kind 1 Events kind 2 Events kind 3 Events kind 4 I want to move all the events 3 & 4 to index index2 and delete them from index1. So the final result would be : Index1 : Events kind 1 Events kind 2 Index2 : Events kind 3 Events kind 4 Is there a way to do that ? Thanks. ... View more

Hello I have issue to make work the Cisco IPS app under splunk. I made it works the first time indexing correctly the IPS logs. I did a lot of register script under the set up menu on the Cisco IPS. I tried to delete the wrong one but i was unable to do it because i did get an error message everytime. So i decided to uninstall the app by removing the Splunk_CiscoIPS folder under $SPLUNK/etc/apps/ and restart splunk to make a fresh install. I'd also deleted the CiscoIPS folder I founded under $SPLUNK/etc/users/%user%/ I made a fresh install and now i'm unable to get the IPS events after doing the set up. Here's the log i have in $SPLUNK/var/log/splunk/sdee_get.log Wed Oct 10 15:00:22 2012 - INFO - No exsisting SubscriptionID for host: 1.2.3.4 Wed Oct 10 15:00:22 2012 - INFO - Attempting to connect to sensor: 1.2.3.4 Wed Oct 10 15:00:22 2012 - INFO - Successfully connected to: 1.2.3.4 Wed Oct 10 15:00:22 2012 - INFO - Checking for exsisting SubscriptionID on host: 1.2.3.4 Wed Oct 10 15:00:22 2012 - INFO - No exsisting SubscriptionID for host: 1.2.3.4 Wed Oct 10 15:00:22 2012 - INFO - Attempting to connect to sensor: 1.2.3.4 Wed Oct 10 15:00:22 2012 - INFO - Successfully connected to: 1.2.3.4 Wed Oct 10 15:00:23 2012 - ERROR - Connecting to sensor - 1.2.3.4: HTTPError: HTTP Error 401: Unauthorized Wed Oct 10 15:00:24 2012 - ERROR - Connecting to sensor - 1.2.3.4: HTTPError: HTTP Error 400: Bad Request Wed Oct 10 15:05:23 2012 - INFO - Checking for exsisting SubscriptionID on host: 1.2.3.4 Wed Oct 10 15:05:23 2012 - INFO - No exsisting SubscriptionID for host: 1.2.3.4 Wed Oct 10 15:05:23 2012 - INFO - Attempting to connect to sensor: 1.2.3.4 Wed Oct 10 15:05:23 2012 - INFO - Successfully connected to: 1.2.3.4 Wed Oct 10 15:05:24 2012 - ERROR - Connecting to sensor - 1.2.3.4: HTTPError: HTTP Error 401: Unauthorized Wed Oct 10 15:05:25 2012 - INFO - Checking for exsisting SubscriptionID on host: 1.2.3.4 Wed Oct 10 15:05:25 2012 - INFO - No exsisting SubscriptionID for host: 1.2.3.4 Wed Oct 10 15:05:25 2012 - INFO - Attempting to connect to sensor: 1.2.3.4 Wed Oct 10 15:05:25 2012 - INFO - Successfully connected to: 1.2.3.4 Wed Oct 10 15:05:26 2012 - ERROR - Connecting to sensor - 1.2.3.4: HTTPError: HTTP Error 400: Bad Request It seems to be my credentials which aren't correct but i'd already tried to make another account unsuccessfully. Do you have any idea ? Thanks. ... View more

hello, I got a question regarding the field indexed by splunk when an event is received on splunk server. I would like to index and use the timestamp present into the logs I get from multiple sources. All those logs are stored into the default DB. There's 3 kind of timestamps present in the 3 diffrents logs source which look like this : 2012-07-25T08:07:30 1343250669001 => This is epoch time Jul 23 12:09:43 3 eventtype has been created for each. Splunk is currently indexing these logs at the time it were received on the splunk server. The purpose would be to do search on splunk from these events using the time present in the logs file. I tried to follow the instrctions present in this page but it doesen't seems to work, i'm pretty sure i'm doing something wrong. http://docs.splunk.com/Documentation/Splunk/4.3.3/Data/Configuretimestamprecognition Here's the first entry i made on the props.conf file. [EVENT_Spyware] TIME_PREFIX = (?i) .*?="(?P<Spyware>\d+\-\d+\-\d+\w+:\d+:\d+)\w+" TIME_FORMAT = %Y-%m-%dT%H:%M:%S TZ = Europe/Paris TRANSFORMS-Virus = Spyware Could someone help please ? Thanks. ... View more