All Apps and Add-ons

Splunk App for Windows Infrastructure - deployment issues

africates
Explorer

Hi,

I'm trying to deploy Splunk App for Windows Infrastructure on small AD environment (2 Domain Controllers and few other windows servers + 1 Splunk Indexer)

I installed everything according to the App specification but I'm getting very little information via the App itself now. I can see that I do not get any info re users or groups etc.

I noticed that powershell scripts aren't running OK i.e. below script should gather some Topology info but returns error (see the end of the post).

Any ideas what could go wrong?

[powershell://AD-Health]
script = & "$SplunkHome\etc\apps\TA-DomainController-2012R2\bin\Invoke-MonitoredScript.ps1" -Command ".\ad-health.ps1"
schedule = 0 */5 * ? * *
index = msad
source=Powershell
sourcetype=MSAD:NT6:Health
disabled=false

ParentIdentity="5e1ba9e1-f102-4156-8e0e-7abed0a5d1c3" ErrorIndex="0" ErrorMessage="A local error has occurred" PositionMessage="At C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-2012R2\bin\siteinfo.ps1:7 char:8 + $DC = Get-ADDomainController -Identity $ServerName + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" CategoryInfo="NotSpecified: (REDACTED:ADDomainController) [Get-ADDomainController], ADException" FullyQualifiedErrorId="ActiveDirectoryServer:8251,Microsoft.ActiveDirectory.Management.Commands.GetADDomainController" Exception="Microsoft.ActiveDirectory.Management.ADException: A local error has occurred ---> System.ServiceModel.FaultException1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADDomainControllerFault]: The lightweight directory access protocol (LDAP) operation failed. Server stack trace: at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.TopologyManagement.GetADDomainController(GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADDomainController(GetADDomainControllerRequest request) --- End of inner exception stack trace --- at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException faultException) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADDomainController(GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADTopologyManagement.GetADDomainController(ADSessionHandle handle, GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.ADTopologyManagement.GetDomainController(String[] dcNtdsSettingsDN) at Microsoft.ActiveDirectory.Management.Commands.ADDomainControllerFactory1.GetExtendedObjectFromIdentity(T identityObj, String identityQueryPath, ICollection1 propertiesToFetch, Boolean showDeleted) at Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase3.ADGetCmdletBaseProcessCSRoutine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase1.ProcessRecord()" InnerException="System.ServiceModel.FaultException1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADDomainControllerFault]: The lightweight directory access protocol (LDAP) operation failed. (Fault Detail is equal to schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADDomainControllerFault)."

0 Karma

Yasaswy
Contributor

Hi africates,
Did you verify your ldap.conf?...
The following can also help
http://docs.splunk.com/Documentation/MSApp/1.0.2/MSInfra/EnableAuditingandPowerShellondomaincontroll...

0 Karma

africates
Explorer

I ignored that Users, Computers and Groups weren't detected and checked these under 'App Configuration' & created lookups. I can see some reports when I do the search now but i.e. below (+more) are missing:
Users>Administrator Audit (Account Domain and Administrator - no results)

0 Karma

africates
Explorer

OK, I think I'm getting somewhere.. I am able to run 'ldapsearch' using Splunk Support - LDAP Commands app. I can also see some indexes triggered by add-ons installed on DC (i.e. for TA-DomainController-2012R2 when executing: index=msad sourcetype=MSAD:NT6:Health).
I still however have problem with Splunk App for Windows Infrastructure. When I'm running 'App Configuration' I'm not getting: Users, Computers and Groups.
I was under impression that these are preconfigured in addons which I installed on the DCs but maybe these are not. What I should chec in inputs.conf? thanks

0 Karma

africates
Explorer

Hi,

I had configured ldap.conf on the Splunk server (\\c$\Program Files\Splunk\etc\apps\SA-ldapsearch\local\ldap.conf) - see the config below.

I also enabled auditing and Powershell script execution on AD servers via GPO.

The only thing which I skipped from the whole installation guide was setting up AD user for Splunk server. Instead of that I am running Splunk server service as domain administrator temporarily which I believe should be fine.

Any other ideas? Maybee there is some way of debugging the whole process?

[default]
server =

[my-domain.local]
server = ;
basedn = DC=my-domain,DC=local
binddn = cn=user,OU=Managed Service Accounts,DC=my-domain,DC=local
password = xxx
alternatedomain = MY-DOMAIN

thanks
p

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...