All Apps and Add-ons

Splunk App for Windows Infrastructure: Why are Active Directory logs going to the main index?

kpavan
Path Finder

Hi All,

I have installed The Splunk App for Windows Infrastructure in Splunk 6.3.2 (build aaff59bb082c), and also configured all add-on's in Windows 2008 R2. I am able to get the data for Splunk-TA-Windows, but no logs are being collected by the Windows Infrastructure app. When I search manually index=main, I am able to see logs related to Active Directory, but have configured AD indexes as ad-perfmon, msad, winevents. (copied from default/ to local/) on both indexer and the Universal Forwarder as well. However, I'm still not able to get the AD related data as the topology is blank.

FYI...
get-executionpolicy > RemoteSigned

In Win2008R2 below are the addon with configured
splunk_app_windows_infrastructure >TA-DNSServer-NT6/local/inputs.conf
splunk_app_windows_infrastructure >TA-DomainController-NT6/local/inputs.conf
Splunk_TA_windows> local/inputs.conf
SA-ModularInput-PowerShell

on receiving side
SA-ldapsearch > configured and connection is successful
splunk_app_windows_infrastructure > configure local/indexes.conf, eventtype.conf,
Splunk_TA_windows > configure local/indexes.conf, eventtype.conf

0 Karma

mauricio_sandov
Explorer

I had similar problem with inputs.conf that did not specify an index or sourcetype with monitor stanza. Example someone had entered monitor for SMTP logging of SMTP windows server but did not specify index to send data to.
Example command: ./splunk add monitor C:\windows\system32\logfiles\SMTPSVC1

  • It created inputs.conf in default "Search" app on Windows universal forwarder
  • [monitor://C:\Windows\System32\LogFiles\SMTPSVC1]
  • Also assigned hostname as sourcetype
  • All SMTP data was sent to "main" index.

Search your inputs.conf for items without sourcetypes or specific index naming
[monitor://C:\Windows\System32\LogFiles\SMTPSVC1]
sourcetype = mssmtp
index = mssmtp
,I had similar problem with inputs.conf that did not specify an index with monitor stanza. Example someone had entered monitor for SMTP logging of SMTP windows server but did not specify index to send data to.
Example command: ./splunk add monitor C:\windows\system32\logfiles\SMTPSVC1

  • Created inputs.conf without specifying index. We modified inputs.conf to include index as follows.
  • [monitor://C:\Windows\System32\LogFiles\SMTPSVC1]
  • Also assigned hostname as sourcetype

Search your inputs.conf for items without sourcetypes or specific index naming
[monitor://C:\Windows\System32\LogFiles\SMTPSVC1]
sourcetype = mssmtp
index = mssmtp

0 Karma

sanderdenheijer
Explorer

Did anyone figure out what was causing this issue? I am experiencing the same thing. Thanks!

0 Karma

jkat54
SplunkTrust
SplunkTrust

Im sorry, but there is not a single question here. Can you please ask a question?

0 Karma

kpavan
Path Finder

my question is why AD logs are going to 'main' index? even though not mentioned in any configuration

0 Karma

masonmorales
Influencer

From one of your Windows hosts (that you have deployed the Windows TA to), could you please execute and post the output of splunk cmd btool inputs list --debug?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...