Hello
I'm having an issue with Splunk app for Active Directory All the data are index to the main index, that make the app unsable as it search into the index msad, perform and winevents.
I've installed Windows TA on the Windows servers and the Splunk instance side. I've used the latest version downloaded here http://splunk-base.splunk.com/apps/28933/splunk-for-windows-technology-add-on
On the windows servers monitored : C:Program FilesSplunkUniversalForwarderetcappsSplunk_TA_windows
On the servers side /opt/splunk/etc/apps/Splunk_for_ActiveDirectory/appserver/addons/TA-DomainController-NT6/local With the inputs.conffile like this :
[WinEventLog:DFS Replication]
disabled=0
sourcetype="WinEventLog:DFS Replication"
index=winevents
queue=parsingQueue
#
# Application and Services Logs - Directory Service
#
[WinEventLog:Directory Service]
disabled=0
sourcetype="WinEventLog:Directory Service"
index=winevents
queue=parsingQueue
#
# Application and Services Logs - File Replication Service
#
[WinEventLog:File Replication Service]
disabled=0
sourcetype="WinEventLog:File Replication Service"
index=winevents
queue=parsingQueue
#
# Application and Services Logs - Key Management Service
#
[WinEventLog:Key Management Service]
disabled=0
sourcetype="WinEventLog:Key Management Service"
index=winevents
queue=parsingQueue
#
# Collect Replication Information
#
[script://.\bin\runpowershell.cmd ad-repl-stat.ps1]
source=Powershell
sourcetype=MSAD:NT6:Replication
interval=300
index=msad
disabled=false
#
# Collect Health and Topology Information
#
[script://.\bin\runpowershell.cmd ad-health.ps1]
source=Powershell
sourcetype=MSAD:NT6:Health
interval=300
index=msad
disabled=false
#
# Collect Site, Site Link and Subnet Information
#
[script://.\bin\runpowershell.cmd siteinfo.ps1]
source=Powershell
sourcetype=MSAD:NT6:SiteInfo
interval=3600
index=msad
disabled=false
#
# Perfmon Collection
#
[perfmon://Processor]
object = Processor
counters = *
instances = *
interval = 10
disabled = 0
index=perfmon
[perfmon://Memory]
object = Memory
counters = *
interval = 10
disabled = 0
index=perfmon
[perfmon://Network_Interface]
object = Network Interface
counters = *
instances = *
interval = 10
disabled = 0
index=perfmon
[perfmon://DFS_Replicated_Folders]
object = DFS Replicated Folders
counters = *
instances = *
interval = 30
disabled = 0
index=perfmon
[perfmon://NTDS]
object = NTDS
counters = *
interval = 10
disabled = 0
index=perfmon
#
# ADMon Collection
#
[script://$SPLUNK_HOME\bin\scripts\splunk-admon.path]
interval=3600
disabled=false
index=msad
#
# Subnet Affinity Log
#
[monitor://C:\Windows\debug\netlogon.log]
sourcetype=MSAD:NT6:Netlogon
disabled=false
index=msad
I got data from the execution of the scripts as i find these sourcetypes into the main index : - WinEventLog:Security - WinEventLog:System - fs_notification - WinEventLog:Application - ActiveDirectory - WinEventLog:Setup
I guess i've followed all the steps to install and configure the app by following this tutorial but it seems i've done something wrong ... http://docs.splunk.com/Documentation/ActiveDirectory/latest/DeployAD/Deploymentprocess I've already looked for my mistake but without success
Could someone help me to troubleshoot this ?
Thanks.