Hi,
i've made a fresh setup of Splunk 6.1 and Windows infrasstructure app.
I followed row by row the setup guide of the app and the forwarders. I've a windows 2008 domain with two domain controllers but in the app configuration it doesn't detect any data about USers Login/logoff , groups and domain controllers.
However detects the Domain, DNS, and the events from domain controllers.
The ldap.conf file is structured as follow:
[default]
server=192.168.x.x (primary controller IP)
[intranet.mydomain.com]
server = PRIDC.intranet.mydomain.com
//# port = 636
//# ssl = true
basedn = DC=intranet,DC=mydomain,DC=com
binddn = CN=Splunk,CN=Users,DC=intranet,DC=mydomain,DC=com
password = xxxxxxxxxxxxx
alternatedomain = INTRANET
If we search using the standard search of Splunk we find all the events needed expecially the security events Login/Logoff with usernaem and Computers associated but the windows infr app seems that cannot retrieve these events to build the Users/Groups Views.
Also the SA-Ldap search does all the searches very well.
Universal forwarders have been configured following the instructions in the User Manual of Windows Infr App.
Here the list of modules on forwarders in Windows DCs:
Splunk_TA_windows
TA-DNSServer-NT6
TA-DomainController-NT6
SA-ModularInput-PowerShell(script execution tested and ok)
And the list of modules on Splunk Server:
Windows Infrastr App
SA-ldapsearch
How can i resolve these issues? What is a configuration that enables the build of lookup tables about Users and Groups?
Any help is appreciated.
