All Apps and Add-ons

Splunk App for Windows Infrastructure: Why does search sourcetype=MSAD return no events?

tckoaypg
Engager

My Splunk Ent V 6.2.2 running in Linux installed with Windows Add-on 4.75, Splunk App for Windows Infrastructure 1.12, Splunk Supporting Add-on for Active Directory 2.01.

My AD running in Win 2008 with Universal Forwarder installed, Splunk TA For Windows, Splunk PowerShell module installed.

However, I still getting "MSAD did not return any event during the Windows Infra Setup Page, check data section."

Data from Splunk Add-on for Microsoft Windows Active Directory
Critical data could not be found
OK: 15 or more events detected in the last 24 hours
ERROR: Search "sourcetype="MSAD*" | head 5" did not return any events in the last 24 hours

When I search index=* source="activedirectory", it does display AD events which show that the AD settings is correct. How do I troubleshoot with this issue?

0 Karma
1 Solution

tckoaypg
Engager

Problem resolved by Install TA for DomainController to Windows Server that you need to monitor. I extract the TA for DomainController from Splunk app for microsoft exchange.

View solution in original post

0 Karma

tckoaypg
Engager

Problem resolved by Install TA for DomainController to Windows Server that you need to monitor. I extract the TA for DomainController from Splunk app for microsoft exchange.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...