Hi I'm using Splunk app for Active Directory, i've installed and configured it to make it run. I receive data regarding the CPU/RAM monitoring, general info, etc ... in the 3 index msad, perform & winevents. Unfortunately, i don't receive any information regarding the DC status/helth. I see it's due to the search "index=msad source=powershell", i'd never indexed data with the field source=powershell in the msad index (only index=msad source=ActiveDirectory). How could i check where the problem come from ? The script doesn't work ? Isn't executed ? something else ? The GPO making run the PS script on my DCs is enabled. I use 1 splunk server with 2 Win 2012 DCs. Some help would be fine 🙂 Thanks ! ... View more

Hello I'm having an issue with Splunk app for Active Directory All the data are index to the main index, that make the app unsable as it search into the index msad, perform and winevents. I've installed Windows TA on the Windows servers and the Splunk instance side. I've used the latest version downloaded here http://splunk-base.splunk.com/apps/28933/splunk-for-windows-technology-add-on On the windows servers monitored : C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows On the servers side /opt/splunk/etc/apps/Splunk_for_ActiveDirectory/appserver/addons/TA-DomainController-NT6/local With the inputs.conffile like this : [WinEventLog:DFS Replication] disabled=0 sourcetype="WinEventLog:DFS Replication" index=winevents queue=parsingQueue # # Application and Services Logs - Directory Service # [WinEventLog:Directory Service] disabled=0 sourcetype="WinEventLog:Directory Service" index=winevents queue=parsingQueue # # Application and Services Logs - File Replication Service # [WinEventLog:File Replication Service] disabled=0 sourcetype="WinEventLog:File Replication Service" index=winevents queue=parsingQueue # # Application and Services Logs - Key Management Service # [WinEventLog:Key Management Service] disabled=0 sourcetype="WinEventLog:Key Management Service" index=winevents queue=parsingQueue # # Collect Replication Information # [script://.\bin\runpowershell.cmd ad-repl-stat.ps1] source=Powershell sourcetype=MSAD:NT6:Replication interval=300 index=msad disabled=false # # Collect Health and Topology Information # [script://.\bin\runpowershell.cmd ad-health.ps1] source=Powershell sourcetype=MSAD:NT6:Health interval=300 index=msad disabled=false # # Collect Site, Site Link and Subnet Information # [script://.\bin\runpowershell.cmd siteinfo.ps1] source=Powershell sourcetype=MSAD:NT6:SiteInfo interval=3600 index=msad disabled=false # # Perfmon Collection # [perfmon://Processor] object = Processor counters = * instances = * interval = 10 disabled = 0 index=perfmon [perfmon://Memory] object = Memory counters = * interval = 10 disabled = 0 index=perfmon [perfmon://Network_Interface] object = Network Interface counters = * instances = * interval = 10 disabled = 0 index=perfmon [perfmon://DFS_Replicated_Folders] object = DFS Replicated Folders counters = * instances = * interval = 30 disabled = 0 index=perfmon [perfmon://NTDS] object = NTDS counters = * interval = 10 disabled = 0 index=perfmon # # ADMon Collection # [script://$SPLUNK_HOME\bin\scripts\splunk-admon.path] interval=3600 disabled=false index=msad # # Subnet Affinity Log # [monitor://C:\Windows\debug\netlogon.log] sourcetype=MSAD:NT6:Netlogon disabled=false index=msad I got data from the execution of the scripts as i find these sourcetypes into the main index : - WinEventLog:Security - WinEventLog:System - fs_notification - WinEventLog:Application - ActiveDirectory - WinEventLog:Setup I guess i've followed all the steps to install and configure the app by following this tutorial but it seems i've done something wrong ... http://docs.splunk.com/Documentation/ActiveDirectory/latest/DeployAD/Deploymentprocess I've already looked for my mistake but without success Could someone help me to troubleshoot this ? Thanks. ... View more

Hello, I would like to know if that possible to configure on a single splunk fowarder, 2 distincts inputs and outputs. In a concrete way, i would to receive the inputs logs coming from : UDP:10001 and send them to TCP:10001 in output UDP:10002 and send them to TCP:10002 in output The only configuration i see, is centralizing the logs in a single point from the inputs, and send them to the outputs. I want 2 distincts flow is it possible ? It should look like this Thanks ! ... View more

Hello, I'm consulting the documentation regarding filtering events before they get indexed but i have issue to understand how i could do that. I got events coming from 1 IP, and i don't want to index the events where the field "risk_rating" is lower than 75. i really don't know how to do that with props.conf and transforms.conf Props.conf [host::10.6.75.16] TRANSFORMS-null= setnull Tranforms.conf [setnull] REGEX=???? /did i have to use this field/ DEST_KEY=queue FORMAT=nullQueue How could i say all the values under 75 for the field "risk_rating" isn't indexed under the transforms file ? It seems quit simple but i really don't get it ... Thanks. ... View more