I can't seem to get this figured out. I've tried adding the stanzas to the output.conf file on my fileserver where the SplunkUniversalForwarder is installed, but nothing from the security log ever shows up. Here's the end of my splunkd log.
Windows Server 2012 R2 for both the Indexer and FileServer I'm attempting to pull logs from.
03-15-2016 12:54:54.552 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk->admon.exe"" splunk-admon - ADMonitorThread::launchADMonitor: Failed to initialize ADMonitor='admon://NearestDC', targedDC='(null)'
ad nauseum.
Here is my inputs.conf (copied to /etc/var/system/local) --
[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=
[blacklist:$SPLUNK_HOME\etc\auth]
[monitor://$SPLUNK_HOME\var\log\splunk]
index = _internal
[monitor://$SPLUNK_HOME\etc\splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version
[batch://$SPLUNK_HOME\var\spool\splunk]
move_policy = sinkhole
crcSalt =
[batch://$SPLUNK_HOME\var\spool\splunk...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt =
[fschange:$SPLUNK_HOME\etc]
pollPeriod = 600
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100
[udp]
connection_host=ip
[tcp]
acceptFrom=*
connection_host=dns
[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip
[script]
interval = 60.0
start_by_shell = false
[SSL]
cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
allowSslRenegotiation = true
sslQuietShutdown = false
sslVersions = *,-ssl2
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
interval = 10000000
source = wmi
sourcetype = wmi
queue = winparsing
persistentQueueSize=200MB
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
whitelist = 0-2000,3001-10000
blacklist = 2001-3000[WinEventLog://System]
disabled = 0"
I started all over and just removed everything. Cleared all the logs and reconnected the UF. Once I did that everything started showing up properly, no more errors. I did so much tinkering I think I just messed things up.
I have a similar problem, it seems the problem is with the TA-DomainController-NT6 app or the Splunk_TA_windows app you may have installed. The specific line with causing this problem is:
[admon://NearestDC]
monitorSubtree = 1
interval=3600
disabled=true
index=msad
If you do not need to use it, you can disable it and the errors will stop.
Thanks for this