So I am trying to get the Windows Infrastructure all configured. For the most part I think I have it configured right but something are not working.
If I go into Active Directory Topology report - I can see the domains - looks like a lot of the dashboards are working... I want to make sure that I can watch Group Policy Changes... I have auditing turned on at the domain controller and have verified that events are being logged - viewed them in the security log.
When I go to Splunk > Windows Infra App > Active Directory > Group Policy > Group Policy Changes
The account domain field, Administrator, and GPO Name on the right hand side states "Search produced no results"
Change to last 7 days to make sure - nothing....
Is this pulled from the event log entries that are created with auditing turned on, or via LDAP quesries of some sort??
Any help to get this working would be appreciated.
Thanks
John
I've been having the same issue since installing Splunk, but I was able to resolve it this morning by enabling Audit file system global object access in the Default Domain Controllers Policy.
This is on 2012R2 server running at 2008R2 functional level.
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Global Object Access Auditing > File System
Set the Principal to Everyone
Set the Type to Success
Set Permissions to
Create Files / write data
Create folders / append data
Write Attributes
Write extended attributes
Delete subfolders and files
Delete
Change Permissions
Take Ownership
Hope that helps.
I am also having similar problem with Event Monitoring Dashboard. Log Name drop down is showing no results
do you have any news regarding this topic? We are facing exactly the same issue
PS - Even called splunk support on this as we have a support contract. They have been unable to help resolve.
Honestly I gave up trying to figure it out. It hasn't worked since we installed. Yes we are logging those events. Followed the instructions for installation etc. You can manually search for the events and they come up sone - just not in this addon.
I'm in the same boat. It's the only piece of the infrastructure app that I don't have working.
Make sure your GPO is auditing those events. http://docs.splunk.com/Documentation/MSApp/1.2.0/MSInfra/ConfigureActiveDirectoryauditpolicy . Specifically make sure that you are auditing policy change. Once you do that, any changes to GPO will be written to the Windows Security Event Log. Those are logged as event code 4662.
You can search your Splunk instance for sourcetype="WinEventLog:Security" EventCode=4662 . To see if any events are there. Once they show up, the dashboard should start populating.
I've done the above and it still doesnt populate the dashboard as mentioned above.
Have you send a ticket to Splunk yet? Did they respond you with any solutions? I am facing the same issue as well.
Yes I submitted a ticket. I was told to run a diag on my splunk server which ended up hanging and never completing.
I emailed the rep and informed him/her of this and haven't received any word back. I've loved Splunk up to the point of having to actually open tickets with them. I find that it's mostly a 1 day response time on any email I submit.
I will update this post with any findings.
Thanks a lot! Hopefully they get back to you soon! It seems this particular dashboard is having issues since few years back and somehow it was never solved.
Are you seeing Events 4662 in your EventLog if you go direct to the Windows Event Log?
Yes I am. Verified at few instances of that entry in the event log.
I'd recommend starting a ticket with Splunk. This is a supported app.
I'm having the same issue. Any help would be appreciated.
Have not gotten this working yet - have not had time. I need to call back into support at some point. I will update it I get it working.
Have you had any update from them? I've had issues with this and some of the user reports. For it being a Splunk supported app, its kind of clunky.