Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About africates
africates
Explorer
Member since:
04-20-2011
12-15-2020
Community Statistics
| Posts | 14 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 1 |
| Member Since | 04-20-2011 |
Activity Feed
- Posted Re: Advanced triggered alert search on Alerting. 08-14-2020 03:52 AM
- Karma Re: Advanced triggered alert search for renjith_nair. 08-14-2020 03:51 AM
- Posted Re: Advanced triggered alert search on Alerting. 07-02-2020 03:56 AM
- Tagged Re: Advanced triggered alert search on Alerting. 07-02-2020 03:56 AM
- Posted Advanced triggered alert search on Alerting. 07-02-2020 02:12 AM
- Posted Re: Splunk Universal Forwarder - Splunk_TA_windows addon on Getting Data In. 06-15-2020 05:40 AM
- Karma Re: Splunk Universal Forwarder - Splunk_TA_windows addon for harsmarvania57. 06-15-2020 05:39 AM
- Posted Splunk Universal Forwarder - Splunk_TA_windows addon on Getting Data In. 06-12-2020 04:51 AM
- Got Karma for How to migrate Splunk Server from version 4.2.1 on Windows 2003 32 bit to version 6.1.2 on windows 2012 64 bit?. 06-05-2020 12:47 AM
- Posted Re: Eventtype 'wineventlog_security' does not exist or is disabled. on All Apps and Add-ons. 02-05-2020 03:19 AM
- Posted Re: Eventtype 'wineventlog_security' does not exist or is disabled. on All Apps and Add-ons. 02-04-2020 03:15 AM
- Posted Eventtype 'wineventlog_security' does not exist or is disabled. on All Apps and Add-ons. 02-04-2020 02:56 AM
- Tagged Eventtype 'wineventlog_security' does not exist or is disabled. on All Apps and Add-ons. 02-04-2020 02:56 AM
- Tagged Eventtype 'wineventlog_security' does not exist or is disabled. on All Apps and Add-ons. 02-04-2020 02:56 AM
- Posted Splunk search goes through 'main' index only on Splunk Search. 08-22-2014 04:40 AM
- Tagged Splunk search goes through 'main' index only on Splunk Search. 08-22-2014 04:40 AM
- Posted Re: Splunk App for Windows Infrastructure - deployment issues on All Apps and Add-ons. 08-22-2014 03:15 AM
- Posted Re: Splunk App for Windows Infrastructure - deployment issues on All Apps and Add-ons. 08-22-2014 02:30 AM
- Posted Re: Splunk App for Windows Infrastructure - deployment issues on All Apps and Add-ons. 08-22-2014 01:18 AM
- Posted Splunk App for Windows Infrastructure - deployment issues on All Apps and Add-ons. 08-21-2014 07:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
07-02-2020
03:56 AM
Hi Renjith, Thanks for your suggestion. It may be working as required but I will need to test it fully by pausing some of the server backup. Can you briefly explain how this search works? So, it's basically getting the list of all server from the index accumulated over time - is this right? or is this just within the period specified in the search (in my case in the Last 24HRS) ? What would the result look like if the condition is met? - is it just the name of the host/server? Thanks again..
... View more
- Tags:
- Renji
07-02-2020
02:12 AM
Hi, I am working on a project where we will be monitoring the windows backup logs from all our servers. The idea is to create a splunk alert whenever there are backup process that did not start, or have started but not finished, or have started but failed. If this alert is triggered, an email will be sent to admin with the list of servers that met the condition. So far, I have sourced out the event ID's from the windows backup logs that I needed for the search; EventCode=1 - Windows backup started EventCode=4 - Backup Successful This can be easily done by creating an alert that searches the eventcodes from a single server and triggers if there are no result. Now my problem is that we have at least 12 servers. Does this mean that i have to create an alert item for each server? - or is there any easier way to do this with just one alert item? or is there an app/addon that easily does this? Thanks in advance for any suggestions.
... View more
Labels
- Labels:
-
alert action
-
alert condition
06-15-2020
05:40 AM
Thanks @harsmarvania57 . This seems to work. Thanks a lot!
... View more
06-12-2020
04:51 AM
Hi, Anybody knows how to include the windows server backup logs using Splunk_TA_windows addon? I have tried adding the following configuration to local\inputs.conf but it does not seem to work. [WinEventLog:Microsoft-Windows-Backup/Operational] disabled = 0 index = wineventlog renderXml=false start_from = oldest checkpointInterval = 5 Any suggestions please?
... View more
Labels
- Labels:
-
universal forwarder
02-05-2020
03:19 AM
Hi nick, I have windows TA installed on the forwarders, but not in the server itself.
... View more
02-04-2020
03:15 AM
sorry, i thought i have uploaded the image. see updated post. thanks
... View more
02-04-2020
02:56 AM
Hi,
I am getting a warning after running any search job "Eventtype 'wineventlog_security' does not exist or is disabled." There is a post regarding this (https://answers.splunk.com/answers/744214/eventtype-wineventlog-security-does-not-exist-or-i.html) and it mentioned there to check that this eventtype is shared globally, and they are globally shared.
Would anyone know where else I should check? I am on version 8.0.0.
Thanks and regards
... View more
08-22-2014
04:40 AM
Hi,
When I try to search anything through either 'Search & Reporting' or 'Splunk App for Windows Infrastructure' I am getting results only from 'main' index.
The same applies to 'Data Summary' - I'm only able to see the hosts which forwarded some events to 'main' index.
Can I change this somehow so search is executed on all indexes apart from these internal ones?
thanks
p
... View more
- Tags:
- search
08-22-2014
03:15 AM
I ignored that Users, Computers and Groups weren't detected and checked these under 'App Configuration' & created lookups. I can see some reports when I do the search now but i.e. below (+more) are missing:
Users>Administrator Audit (Account Domain and Administrator - no results)
... View more
08-22-2014
02:30 AM
OK, I think I'm getting somewhere.. I am able to run 'ldapsearch' using Splunk Support - LDAP Commands app. I can also see some indexes triggered by add-ons installed on DC (i.e. for TA-DomainController-2012R2 when executing: index=msad sourcetype=MSAD:NT6:Health).
I still however have problem with Splunk App for Windows Infrastructure. When I'm running 'App Configuration' I'm not getting: Users, Computers and Groups.
I was under impression that these are preconfigured in addons which I installed on the DCs but maybe these are not. What I should chec in inputs.conf? thanks
... View more
08-22-2014
01:18 AM
Hi,
I had configured ldap.conf on the Splunk server (\ \c$\Program Files\Splunk\etc\apps\SA-ldapsearch\local\ldap.conf) - see the config below.
I also enabled auditing and Powershell script execution on AD servers via GPO.
The only thing which I skipped from the whole installation guide was setting up AD user for Splunk server. Instead of that I am running Splunk server service as domain administrator temporarily which I believe should be fine.
Any other ideas? Maybee there is some way of debugging the whole process?
[default]
server =
[my-domain.local]
server = ;
basedn = DC=my-domain,DC=local
binddn = cn=user,OU=Managed Service Accounts,DC=my-domain,DC=local
password = xxx
alternatedomain = MY-DOMAIN
thanks
p
... View more
08-21-2014
07:46 AM
Hi,
I'm trying to deploy Splunk App for Windows Infrastructure on small AD environment (2 Domain Controllers and few other windows servers + 1 Splunk Indexer)
I installed everything according to the App specification but I'm getting very little information via the App itself now. I can see that I do not get any info re users or groups etc.
I noticed that powershell scripts aren't running OK i.e. below script should gather some Topology info but returns error (see the end of the post).
Any ideas what could go wrong?
[powershell://AD-Health]
script = & "$SplunkHome\etc\apps\TA-DomainController-2012R2\bin\Invoke-MonitoredScript.ps1" -Command ".\ad-health.ps1"
schedule = 0 */5 * ? * *
index = msad
source=Powershell
sourcetype=MSAD:NT6:Health
disabled=false
ParentIdentity="5e1ba9e1-f102-4156-8e0e-7abed0a5d1c3" ErrorIndex="0" ErrorMessage="A local error has occurred" PositionMessage="At C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-DomainController-2012R2\bin\siteinfo.ps1:7 char:8 + $DC = Get-ADDomainController -Identity $ServerName + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" CategoryInfo="NotSpecified: (REDACTED:ADDomainController) [Get-ADDomainController], ADException" FullyQualifiedErrorId="ActiveDirectoryServer:8251,Microsoft.ActiveDirectory.Management.Commands.GetADDomainController" Exception="Microsoft.ActiveDirectory.Management.ADException: A local error has occurred ---> System.ServiceModel.FaultException 1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADDomainControllerFault]: The lightweight directory access protocol (LDAP) operation failed. Server stack trace: at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.TopologyManagement.GetADDomainController(GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADDomainController(GetADDomainControllerRequest request) --- End of inner exception stack trace --- at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException faultException) at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADDomainController(GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADTopologyManagement.GetADDomainController(ADSessionHandle handle, GetADDomainControllerRequest request) at Microsoft.ActiveDirectory.Management.ADTopologyManagement.GetDomainController(String[] dcNtdsSettingsDN) at Microsoft.ActiveDirectory.Management.Commands.ADDomainControllerFactory 1.GetExtendedObjectFromIdentity(T identityObj, String identityQueryPath, ICollection 1 propertiesToFetch, Boolean showDeleted) at Microsoft.ActiveDirectory.Management.Commands.ADGetCmdletBase 3.ADGetCmdletBaseProcessCSRoutine() at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke() at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase 1.ProcessRecord()" InnerException="System.ServiceModel.FaultException 1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADDomainControllerFault]: The lightweight directory access protocol (LDAP) operation failed. (Fault Detail is equal to schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADDomainControllerFault)."
... View more
07-31-2014
01:47 AM
1 Karma
Hi,
I'm about to migrate whole splunk server from v. 4.2.1 on Windows 2003 32 bit to v.6.1.2 on Windows 2012 64 bits.
Could anybody advise what steps should I do to install new version and migrate all data and settings in the new version of application?
Many thanks,
Pawel
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-15-2020
01:05 AM
|
