All Apps and Add-ons

Where do I add domain controllers in Splunk App for Windows Infrastructure?

lorder
Explorer

I installed and configured Splunk App for Windows Infrastructure.

With this I install: Splunk Add-on for PowerShell, Splunk Supporting Add-on for Active Directory (and configure it "Connection test for default succeeded"), Splunk Add-on for Microsoft Active Directory, Splunk Add-on for Microsoft Windows DNS, Splunk Add-on for Microsoft Windows.

When I configure it and I complete all requirements I see only one server (self Splunk) but I don't see any domain controllers.

Where I must add domain controllers?

lorder
Explorer


Splunk v6.6.0+
OK: Splunk v7.1.3 detected
OK: Key value store is enabled. Learn more.

Splunk Add-on for Microsoft Windows v4.8.3 or 4.8.4
OK: Splunk Add-on for Microsoft Windows v4.8.4 detected

Splunk Supporting Add-on for Microsoft Windows Active Directory v2.1.7
OK: Splunk Supporting Add-on for Microsoft Windows Active Directory v2.1.7 detected

Users and/or groups configured with the winfra-admin user role:

0 Karma

lorder
Explorer

I think that problem with powershell module.
I have indexes (msad, perfmon, ...). I have sourcetypes (MSAD:NT6:..., Perfmon:..., ... )
1
And in sourcetype="Powershell:ScriptExecutionSummary" I have errors:
tcp://splunk-01:9389/ActiveDirectoryWebServices/Windows/Resource.
2
Exception="Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException: Не удалось найти сервер каталогов с удостоверением: "SPLUNK-01".

Splunk try connect to self as to DC, but it no DC... How I can configure real DC for connection?

0 Karma

adonio
Ultra Champion

are you bringing data from your domain controllers and other windows hosts?

0 Karma

lorder
Explorer

yes. But when I open predefined dashboards, such as users reports: disabled I can't select domain.
Or in other reports, where I must select domain, site, controllers - this dropdowns is empty.

I think that splunk try to read domain info from splunk server, but not from real DC.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...