LOGbinder for Splunk Free, No results found.


LOGbinder for Splunk Free, No results found.

Brian.K

Followed the directions as per "8. Install Supercharger with Splunk Free and the Splunk App for LOGbinder"
Splunk version: 7.2.4 Build: 8a94541dcfac using logbinder_1.1.12.spl on windows 2012r2
index=main and there are over 500 events that can be viewed from the Splunk search panel.

All panels under the Active Directory Changes shows their heading but contains No results found.
 


i

Brian.K - 2/21/2019

Followed the directions as per "8. Install Supercharger with Splunk Free and the Splunk App for LOGbinder"
Splunk version: 7.2.4 Build: 8a94541dcfac using logbinder_1.1.12.spl on windows 2012r2
index=main and there are over 500 events that can be viewed from the Splunk search panel.

All panels under the Active Directory Changes shows their heading but contains No results found.
 


Is the sourcetype of those events "WinEventLog:Security" ?
Brian.K

imrago - 2/21/2019
Brian.K - 2/21/2019

Followed the directions as per "8. Install Supercharger with Splunk Free and the Splunk App for LOGbinder"
Splunk version: 7.2.4 Build: 8a94541dcfac using logbinder_1.1.12.spl on windows 2012r2
index=main and there are over 500 events that can be viewed from the Splunk search panel.

All panels under the Active Directory Changes shows their heading but contains No results found.
 


Is the sourcetype of those events "WinEventLog:Security" ?

I Believe so,



i

Brian.K - 2/21/2019
imrago - 2/21/2019
Brian.K - 2/21/2019

Followed the directions as per "8. Install Supercharger with Splunk Free and the Splunk App for LOGbinder"
Splunk version: 7.2.4 Build: 8a94541dcfac using logbinder_1.1.12.spl on windows 2012r2
index=main and there are over 500 events that can be viewed from the Splunk search panel.

All panels under the Active Directory Changes shows their heading but contains No results found.
 


Is the sourcetype of those events "WinEventLog:Security" ?

I Believe so,



Great, next thing to check if those are events from a DC, please run this search :

| inputlookup domain_controllers

In the AD changes dashboards only the events originating from DC are considered.
Brian.K

imrago - 2/22/2019
Brian.K - 2/21/2019
imrago - 2/21/2019
Brian.K - 2/21/2019

Followed the directions as per "8. Install Supercharger with Splunk Free and the Splunk App for LOGbinder"
Splunk version: 7.2.4 Build: 8a94541dcfac using logbinder_1.1.12.spl on windows 2012r2
index=main and there are over 500 events that can be viewed from the Splunk search panel.

All panels under the Active Directory Changes shows their heading but contains No results found.
 


Is the sourcetype of those events "WinEventLog:Security" ?

I Believe so,



Great, next thing to check if those are events from a DC, please run this search :

| inputlookup domain_controllers

In the AD changes dashboards only the events originating from DC are considered.
I can't seem to get any results with that query, although only my DCs are currently forwarding events.
Yesterday I added the DCs to the domain_controllers.csv file. Still so change.


i

Brian.K - 2/22/2019
imrago - 2/22/2019
Brian.K - 2/21/2019
imrago - 2/21/2019
Brian.K - 2/21/2019

Followed the directions as per "8. Install Supercharger with Splunk Free and the Splunk App for LOGbinder"
Splunk version: 7.2.4 Build: 8a94541dcfac using logbinder_1.1.12.spl on windows 2012r2
index=main and there are over 500 events that can be viewed from the Splunk search panel.

All panels under the Active Directory Changes shows their heading but contains No results found.
 


Is the sourcetype of those events "WinEventLog:Security" ?

I Believe so,



Great, next thing to check if those are events from a DC, please run this search :

| inputlookup domain_controllers

In the AD changes dashboards only the events originating from DC are considered.
I can't seem to get any results with that query, although only my DCs are currently forwarding events.
Yesterday I added the DCs to the domain_controllers.csv file. Still so change.


The inputlookup should start with this character : "|" 
Please run this search to see if splunk can access it and if it is correctly populated:

| inputlookup domain_controllers

That lookup file is updated every 5 min using a saved search.





Brian.K

imrago - 2/22/2019
Brian.K - 2/22/2019
imrago - 2/22/2019
Brian.K - 2/21/2019
imrago - 2/21/2019
Brian.K - 2/21/2019

Followed the directions as per "8. Install Supercharger with Splunk Free and the Splunk App for LOGbinder"
Splunk version: 7.2.4 Build: 8a94541dcfac using logbinder_1.1.12.spl on windows 2012r2
index=main and there are over 500 events that can be viewed from the Splunk search panel.

All panels under the Active Directory Changes shows their heading but contains No results found.
 


Is the sourcetype of those events "WinEventLog:Security" ?

I Believe so,



Great, next thing to check if those are events from a DC, please run this search :

| inputlookup domain_controllers

In the AD changes dashboards only the events originating from DC are considered.
I can't seem to get any results with that query, although only my DCs are currently forwarding events.
Yesterday I added the DCs to the domain_controllers.csv file. Still so change.


The inputlookup should start with this character : "|" 
Please run this search to see if splunk can access it and if it is correctly populated:

| inputlookup domain_controllers

That lookup file is updated every 5 min using a saved search.





No results.

i

Brian.K - 2/22/2019
imrago - 2/22/2019
Brian.K - 2/22/2019
imrago - 2/22/2019
Brian.K - 2/21/2019
imrago - 2/21/2019
Brian.K - 2/21/2019

Followed the directions as per "8. Install Supercharger with Splunk Free and the Splunk App for LOGbinder"
Splunk version: 7.2.4 Build: 8a94541dcfac using logbinder_1.1.12.spl on windows 2012r2
index=main and there are over 500 events that can be viewed from the Splunk search panel.

All panels under the Active Directory Changes shows their heading but contains No results found.
 


Is the sourcetype of those events "WinEventLog:Security" ?

I Believe so,



Great, next thing to check if those are events from a DC, please run this search :

| inputlookup domain_controllers

In the AD changes dashboards only the events originating from DC are considered.
I can't seem to get any results with that query, although only my DCs are currently forwarding events.
Yesterday I added the DCs to the domain_controllers.csv file. Still so change.


The inputlookup should start with this character : "|" 
Please run this search to see if splunk can access it and if it is correctly populated:

| inputlookup domain_controllers

That lookup file is updated every 5 min using a saved search.





No results.

Understood, that lookup file is being populated based on a search like this :

`select_winseclog_events` (EventCode=4932 OR EventCode=4768)

Are there events with those EventCodes present? Is this search returning results?
Brian.K

imrago - 2/22/2019
Brian.K - 2/22/2019
imrago - 2/22/2019
Brian.K - 2/22/2019
imrago - 2/22/2019
Brian.K - 2/21/2019
imrago - 2/21/2019
Brian.K - 2/21/2019

Followed the directions as per "8. Install Supercharger with Splunk Free and the Splunk App for LOGbinder"
Splunk version: 7.2.4 Build: 8a94541dcfac using logbinder_1.1.12.spl on windows 2012r2
index=main and there are over 500 events that can be viewed from the Splunk search panel.

All panels under the Active Directory Changes shows their heading but contains No results found.
 


Is the sourcetype of those events "WinEventLog:Security" ?

I Believe so,



Great, next thing to check if those are events from a DC, please run this search :

| inputlookup domain_controllers

In the AD changes dashboards only the events originating from DC are considered.
I can't seem to get any results with that query, although only my DCs are currently forwarding events.
Yesterday I added the DCs to the domain_controllers.csv file. Still so change.


The inputlookup should start with this character : "|" 
Please run this search to see if splunk can access it and if it is correctly populated:

| inputlookup domain_controllers

That lookup file is updated every 5 min using a saved search.





No results.

Understood, that lookup file is being populated based on a search like this :

`select_winseclog_events` (EventCode=4932 OR EventCode=4768)

Are there events with those EventCodes present? Is this search returning results?

No, I don't see any in the Supercharger-Destination-ADChanges%4Log either. Let me verify the GPO again to make sure we're collecting properly.  I'm seeing plenty of 5136 and some 111, 4611, 4728, 4737 Event IDs. Could there be an issue with the subscription?

Brian.K

Brian.K - 2/22/2019
imrago - 2/22/2019
Brian.K - 2/22/2019
imrago - 2/22/2019
Brian.K - 2/22/2019
imrago - 2/22/2019
Brian.K - 2/21/2019
imrago - 2/21/2019
Brian.K - 2/21/2019

Followed the directions as per "8. Install Supercharger with Splunk Free and the Splunk App for LOGbinder"
Splunk version: 7.2.4 Build: 8a94541dcfac using logbinder_1.1.12.spl on windows 2012r2
index=main and there are over 500 events that can be viewed from the Splunk search panel.

All panels under the Active Directory Changes shows their heading but contains No results found.
 


Is the sourcetype of those events "WinEventLog:Security" ?

I Believe so,