Not getting any data in App for Active Directory

jbradleyharris · ‎08-30-2012

I am trying to set up the App for Active Directory 1.1 in the free version of Splunk. I think I followed all the instructions but I am not getting any data. I have an AD forest with a parent domain and two children. I have forwarders set up on a domain controller in the root domain and on two of the domain controllers of one of the child domains. The forest is at Server 2003 level, the domains are at 2003 Interim level. All domain controllers are Server 2003 x86. My Splunk server is Server 2003 R2 x64. All are at the latest service pack and patch levels.

I installed the Splunk_TA_Windows, TA-DomainController-NT5 and TA-DNSServer-NT5 add-ins into the forwarders by dropping the respective folders into the ..\Program Files\SplunkUniversalForwarder\etc\apps folder on each of the domain controllers. Is this correct?

I have PowerShell 2.0 installed on the domain controllers and the Splunk server. PowerShell script execution is enabled. Auditing is turned on. DNS logging us turned on and (big) log files are present. I created an AD user account for Splunk to use. I think I did my ldap.conf correctly:

[domain.forest.net]

server = DomainController1.domain.forest.net;DomainController2.domain.forest.net

basedn = dc=domain,dc=ad,dc=net

binddn = cn=Splunk,cn=Users,dc=domain,dc=ad,dc=net

password = {64}password

[SPL]

alias = domain.forest.net

[default]

server = DomainController2.domain.forest.net

I have been looking at this for two days now. I can log in to the App but no information is displayed anywhere.

Any suggestions?

jbradleyharris · ‎08-31-2012

I edited my ldap.conf file. Is this better?

[domain.forest.net]

server = dc1.domain.forest.net;dc2.domain.forest.net

port = 389

ssl = false

basedn = dc=domain,dc=forest,dc=net

binddn = cn=Splunk,cn=Users,dc=domain,dc=forest,dc=net

password = {64}(password)

[acsnt]

alias = domain.forest.net

[default]

server = 192.168.0.1

ahall_splunk · ‎08-31-2012

acsnt needs to be in caps, as NetBIOS is normally. Also, you do not have a stanza for the base DN (DN=domain,DN=forest,DN=net), which you can alias to domain.forest.net.

Finally, although optional, you should specify IP addresses in the server line. This is more of a performance issue, but domain controllers do not change IP's very often.

Once you have done all that, you can test with the search |ldapsearch domain=ACSNT search="(objectClass=user)" - it should give you results. If it gives you errors, refer to $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log to see what is wrong.

ahall_splunk · ‎08-30-2012

The first thing is - are you getting any events at all? Do a search for events in index=msad, index=perfmon and index=main - if you have events, then those events should also show up in the app.

Incidentally, your ldap.conf is wrong. There should be four entries:

A default section
An entry for your DNS name
An entry for your NetBIOS name
An entry for your Base DN

I can't tell you what these are - they depend on your environment. I'm going to guess you need stanzas for [domain.forest.net], [DOMAIN], [DC=domain,DC=forest,DC=net] and [default]

justin_coffi · ‎11-14-2012

Did this ever get resolved? I'm having a similar issue and I'm desperate for an answer. http://splunk-base.splunk.com/answers/65347/no-data-from-splunk-support-for-active-directory

ahall_splunk · ‎08-31-2012

Some sections of the dashboards rely on saved temporal lookups. If there is no scheduler, then tHostInfo and tSessions would not be generated, which would preclude some of the change management and audit information from working. However, the health and security reports would still work since they don't rely on those lookups.

gkanapathy · ‎08-30-2012

does the app require jobs to run in order to display dashboard data? The free version doesn't have a scheduler.

Not getting any data in App for Active Directory

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk