All Apps and Add-ons

Splunk App for Windows Infrastructure: Why are Active Directory logs going to the main index?

kpavan
Path Finder

Hi All,

I have installed The Splunk App for Windows Infrastructure in Splunk 6.3.2 (build aaff59bb082c), and also configured all add-on's in Windows 2008 R2. I am able to get the data for Splunk-TA-Windows, but no logs are being collected by the Windows Infrastructure app. When I search manually index=main, I am able to see logs related to Active Directory, but have configured AD indexes as ad-perfmon, msad, winevents. (copied from default/ to local/) on both indexer and the Universal Forwarder as well. However, I'm still not able to get the AD related data as the topology is blank.

FYI...
get-executionpolicy > RemoteSigned

In Win2008R2 below are the addon with configured
splunk_app_windows_infrastructure >TA-DNSServer-NT6/local/inputs.conf
splunk_app_windows_infrastructure >TA-DomainController-NT6/local/inputs.conf
Splunk_TA_windows> local/inputs.conf
SA-ModularInput-PowerShell

on receiving side
SA-ldapsearch > configured and connection is successful
splunk_app_windows_infrastructure > configure local/indexes.conf, eventtype.conf,
Splunk_TA_windows > configure local/indexes.conf, eventtype.conf

0 Karma

mauricio_sandov
Explorer

I had similar problem with inputs.conf that did not specify an index or sourcetype with monitor stanza. Example someone had entered monitor for SMTP logging of SMTP windows server but did not specify index to send data to.
Example command: ./splunk add monitor C:\windows\system32\logfiles\SMTPSVC1

  • It created inputs.conf in default "Search" app on Windows universal forwarder
  • [monitor://C:\Windows\System32\LogFiles\SMTPSVC1]
  • Also assigned hostname as sourcetype
  • All SMTP data was sent to "main" index.

Search your inputs.conf for items without sourcetypes or specific index naming
[monitor://C:\Windows\System32\LogFiles\SMTPSVC1]
sourcetype = mssmtp
index = mssmtp
,I had similar problem with inputs.conf that did not specify an index with monitor stanza. Example someone had entered monitor for SMTP logging of SMTP windows server but did not specify index to send data to.
Example command: ./splunk add monitor C:\windows\system32\logfiles\SMTPSVC1

  • Created inputs.conf without specifying index. We modified inputs.conf to include index as follows.
  • [monitor://C:\Windows\System32\LogFiles\SMTPSVC1]
  • Also assigned hostname as sourcetype

Search your inputs.conf for items without sourcetypes or specific index naming
[monitor://C:\Windows\System32\LogFiles\SMTPSVC1]
sourcetype = mssmtp
index = mssmtp

0 Karma

sanderdenheijer
Explorer

Did anyone figure out what was causing this issue? I am experiencing the same thing. Thanks!

0 Karma

jkat54
SplunkTrust
SplunkTrust

Im sorry, but there is not a single question here. Can you please ask a question?

0 Karma

kpavan
Path Finder

my question is why AD logs are going to 'main' index? even though not mentioned in any configuration

0 Karma

masonmorales
Influencer

From one of your Windows hosts (that you have deployed the Windows TA to), could you please execute and post the output of splunk cmd btool inputs list --debug?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...