Hello, I am new to the Splunk interface and I have been recently given a task to configure Splunk to monitor the following non-default Windows event log:
Log Name: Microsoft-AzureADPasswordProtection-DCAgent/Admin
Source: Microsoft-AzureADPasswordProtection-DCAgent
Date: 6/17/2019 5:42:22 AM
Event ID: 10014
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: ourdcserverA.ourdomain.com
Description:
The changed password for the specified user was validated as compliant with the current Azure password policy.
UserName: Leroy
FullName: Jenkins
So I went ahead and modified the inputs.conf on the central Splunk Enterprise server. Below is an example of the inputs.conf I have currently configured:
[default]
host = oursplunkserver
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[WinEventLog://Microsoft-AzureADPasswordProtection-DCAgent/Operational]
host = ourdcserverA
disabled = 0
Now as you can see I've specified the inputs.conf file to look for that event from a domain controller (ourdcservera) but whenever I save the input file and verify if the change has been reflected using the web browser, it only shows that setting applying to the localhost which is the Splunk Enterprise Server (oursplunkserver) and not the domain controller(ourserverdca).
I would like to know what I am missing in the configuration so I am able to monitor this particular log from all our domain controllers? Please help and thank you!
... View more