Hi All We have a a mixed Windows 2003 and Windows 2008 R2 domain controller setup. All of these send events to SCOM and the SCOM ACS database. We point Splunk at the SCOM ACS database to collate these events centrally. Currently when I click on "Active Directory" at the top of Splunk and then click on "Domain Controller Events" I can only see my Windows 2003 domain controller stats. I cannot see any data for my Windows 2008 R2 domain controllers. I have confirmed that there is definitely Windows 2008 R2 domain controller events within the SCOM ACS database. I'm very new to Splunk so very well might be doing something silly. Does anyone know what the SQL query is that is executed directly when I click on on "Domain Controller Events"? If I have that I can confirm that the tables in the SCOM database are correct. Otherwise has anyone seen this before?
My team may end up going down this route in the future..
If ACS is anything like SCOM, portions of windows security event log data are likely spread across multiple tables. You would need to extract a view of security events and ensure that the columns match the field name and character case expected by Splunk app for Active Directory. There may also be references to SourceName, SourceType etc, so you will likely have some transform work to do if you are tailing SQL data using DBConnect.
This has nothing to do with Active Directory. If you want to grab the appropriate events for Active Directory, I suggest starting with the Splunk App for Active Directory. The App is available for download from splunkbase, and is documented at http://docs.splunk.com
That's because we don't execute an "SQL query" - with AD, no SQL is involved.
Thank you, i wasnt suggesting the problem was with Active Directory so I'm not sure why you're suggesting it has nothing to do with AD. I asked what the SQL query was that was executed when I clicked on Active Directory events at the top of the Splunk app. Thus far, nobody has been able to tell me
The only suggestion I would have would be to see if you can query the data from search, to see if it is indeed collecting inside of the index.
I have not used this app before, but I wanted to see if I could get you looking for the data via indexes.