Missing App Context and Index settings


Missing App Context and Index settings

markwolf

Hello.

We are testing the Supercharger Application with a Splunk Free Installation.

During the installation and configuration we already recognized missing Options mentioned in the installation manual, compared with the option we had in the System:

The "App context" and the predefined logbinder Index are missing.

So in the moment we can see that data, like changed Users or Groupmemerships, but we cannot see detailed information. The information is in the forwarded Event, we can confirm that in the WinEvent Log. But in the dashboard we don't see these necessary information.

Our system: Windows Server 2016, Supercharger Manager 19.1.4.0, Splunk 7.2.6, Logbinder for Splunk 1.1.12.
Attached the comparison between our possible settings, and the settings in the manual.

Thanks in advance

Mark


i

markwolf - 4/29/2019

Hello.

We are testing the Supercharger Application with a Splunk Free Installation.

During the installation and configuration we already recognized missing Options mentioned in the installation manual, compared with the option we had in the System:

The "App context" and the predefined logbinder Index are missing.

So in the moment we can see that data, like changed Users or Groupmemerships, but we cannot see detailed information. The information is in the forwarded Event, we can confirm that in the WinEvent Log. But in the dashboard we don't see these necessary information.

Our system: Windows Server 2016, Supercharger Manager 19.1.4.0, Splunk 7.2.6, Logbinder for Splunk 1.1.12.
Attached the comparison between our possible settings, and the settings in the manual.

Thanks in advance

Mark


Please try to use these instructions :

https://support.logbinder.com/SuperchargerKB/50135/8-Install-Supercharger-with-Splunk-Free-and-the-Splunk-App-for-LOGbinder

markwolf

imrago - 4/29/2019
markwolf - 4/29/2019

Hello.

We are testing the Supercharger Application with a Splunk Free Installation.

During the installation and configuration we already recognized missing Options mentioned in the installation manual, compared with the option we had in the System:

The "App context" and the predefined logbinder Index are missing.

So in the moment we can see that data, like changed Users or Groupmemerships, but we cannot see detailed information. The information is in the forwarded Event, we can confirm that in the WinEvent Log. But in the dashboard we don't see these necessary information.

Our system: Windows Server 2016, Supercharger Manager 19.1.4.0, Splunk 7.2.6, Logbinder for Splunk 1.1.12.
Attached the comparison between our possible settings, and the settings in the manual.

Thanks in advance

Mark


Please try to use these instructions :

https://support.logbinder.com/SuperchargerKB/50135/8-Install-Supercharger-with-Splunk-Free-and-the-Splunk-App-for-LOGbinder

I have configured it like that, but still no Information inside the LOGBinderapp in Splunk.
If we look into the source of the Event in the App, we only see the information that something has changed - but to see detailed information we still have to look inside the forwarded Event in the Windows Event Log.
Not a big help if it is not possible to see that in the LOGBinder App in Splunk Sad

i

markwolf - 4/30/2019
imrago - 4/29/2019
markwolf - 4/29/2019

Hello.

We are testing the Supercharger Application with a Splunk Free Installation.

During the installation and configuration we already recognized missing Options mentioned in the installation manual, compared with the option we had in the System:

The "App context" and the predefined logbinder Index are missing.

So in the moment we can see that data, like changed Users or Groupmemerships, but we cannot see detailed information. The information is in the forwarded Event, we can confirm that in the WinEvent Log. But in the dashboard we don't see these necessary information.

Our system: Windows Server 2016, Supercharger Manager 19.1.4.0, Splunk 7.2.6, Logbinder for Splunk 1.1.12.
Attached the comparison between our possible settings, and the settings in the manual.

Thanks in advance

Mark


Please try to use these instructions :

https://support.logbinder.com/SuperchargerKB/50135/8-Install-Supercharger-with-Splunk-Free-and-the-Splunk-App-for-LOGbinder

I have configured it like that, but still no Information inside the LOGBinderapp in Splunk.
If we look into the source of the Event in the App, we only see the information that something has changed - but to see detailed information we still have to look inside the forwarded Event in the Windows Event Log.
Not a big help if it is not possible to see that in the LOGBinder App in Splunk Sad

In the AD changes dashboards only the events originating from DC are considered. Those events are filtered out based on the domain_controllers lookup file. That file is being generated using a saved search based on :

`select_winseclog_events` (EventCode=4932 OR EventCode=4768)

Please run this search. Does it return results?



markwolf

imrago - 4/30/2019
markwolf - 4/30/2019
imrago - 4/29/2019
markwolf - 4/29/2019

Hello.

We are testing the Supercharger Application with a Splunk Free Installation.

During the installation and configuration we already recognized missing Options mentioned in the installation manual, compared with the option we had in the System:

The "App context" and the predefined logbinder Index are missing.

So in the moment we can see that data, like changed Users or Groupmemerships, but we cannot see detailed information. The information is in the forwarded Event, we can confirm that in the WinEvent Log. But in the dashboard we don't see these necessary information.

Our system: Windows Server 2016, Supercharger Manager 19.1.4.0, Splunk 7.2.6, Logbinder for Splunk 1.1.12.
Attached the comparison between our possible settings, and the settings in the manual.

Thanks in advance

Mark


Please try to use these instructions :

https://support.logbinder.com/SuperchargerKB/50135/8-Install-Supercharger-with-Splunk-Free-and-the-Splunk-App-for-LOGbinder

I have configured it like that, but still no Information inside the LOGBinderapp in Splunk.
If we look into the source of the Event in the App, we only see the information that something has changed - but to see detailed information we still have to look inside the forwarded Event in the Windows Event Log.
Not a big help if it is not possible to see that in the LOGBinder App in Splunk Sad

In the AD changes dashboards only the events originating from DC are considered. Those events are filtered out based on the domain_controllers lookup file. That file is being generated using a saved search based on :

`select_winseclog_events` (EventCode=4932 OR EventCode=4768)

Please run this search. Does it return results?



The search doesn't return any results.
Okay, so you are telling me that because we forward the events with the Supercharger from all the DCs to a single server, the dashboard will not display additional information?
But shouldn't it be like it? At least we saw it on this Website https://www.logbinder.com/Solutions/ActiveDirectory?x=1


i

markwolf - 4/30/2019
imrago - 4/30/2019
markwolf - 4/30/2019
imrago - 4/29/2019
markwolf - 4/29/2019

Hello.

We are testing the Supercharger Application with a Splunk Free Installation.

During the installation and configuration we already recognized missing Options mentioned in the installation manual, compared with the option we had in the System:

The "App context" and the predefined logbinder Index are missing.

So in the moment we can see that data, like changed Users or Groupmemerships, but we cannot see detailed information. The information is in the forwarded Event, we can confirm that in the WinEvent Log. But in the dashboard we don't see these necessary information.

Our system: Windows Server 2016, Supercharger Manager 19.1.4.0, Splunk 7.2.6, Logbinder for Splunk 1.1.12.
Attached the comparison between our possible settings, and the settings in the manual.

Thanks in advance

Mark


Please try to use these instructions :

https://support.logbinder.com/SuperchargerKB/50135/8-Install-Supercharger-with-Splunk-Free-and-the-Splunk-App-for-LOGbinder

I have configured it like that, but still no Information inside the LOGBinderapp in Splunk.
If we look into the source of the Event in the App, we only see the information that something has changed - but to see detailed information we still have to look inside the forwarded Event in the Windows Event Log.
Not a big help if it is not possible to see that in the LOGBinder App in Splunk Sad

In the AD changes dashboards only the events originating from DC are considered. Those events are filtered out based on the domain_controllers lookup file. That file is being generated using a saved search based on :

`select_winseclog_events` (EventCode=4932 OR EventCode=4768)

Please run this search. Does it return results?



The search doesn't return any results.
Okay, so you are telling me that because we forward the events with the Supercharger from all the DCs to a single server, the dashboard will not display additional information?
But shouldn't it be like it? At least we saw it on this Website https://www.logbinder.com/Solutions/ActiveDirectory?x=1


Hi, 

  >Okay, so you are telling me that because we forward the events with the Supercharger from all the DCs to a single server, the dashboard will not display additional information?

   No, it will display events received from DCs.

>The search doesn't return any results.

   Please try this search :

(index=wineventlog OR index=main) eventtype=WinSecLog



markwolf

imrago - 4/30/2019
markwolf - 4/30/2019
imrago - 4/30/2019
markwolf - 4/30/2019
imrago - 4/29/2019
markwolf - 4/29/2019

Hello.

We are testing the Supercharger Application with a Splunk Free Installation.

During the installation and configuration we already recognized missing Options mentioned in the installation manual, compared with the option we had in the System:

The "App context" and the predefined logbinder Index are missing.

So in the moment we can see that data, like changed Users or Groupmemerships, but we cannot see detailed information. The information is in the forwarded Event, we can confirm that in the WinEvent Log. But in the dashboard we don't see these necessary information.

Our system: Windows Server 2016, Supercharger Manager 19.1.4.0, Splunk 7.2.6, Logbinder for Splunk 1.1.12.
Attached the comparison between our possible settings, and the settings in the manual.

Thanks in advance

Mark


Please try to use these instructions :

https://support.logbinder.com/SuperchargerKB/50135/8-Install-Supercharger-with-Splunk-Free-and-the-Splunk-App-for-LOGbinder

I have configured it like that, but still no Information inside the LOGBinderapp in Splunk.
If we look into the source of the Event in the App, we only see the information that something has changed - but to see detailed information we still have to look inside the forwarded Event in the Windows Event Log.
Not a big help if it is not possible to see that in the LOGBinder App in Splunk Sad

In the AD changes dashboards only the events originating from DC are considered. Those events are filtered out based on the domain_controllers lookup file. That file is being generated using a saved search based on :

`select_winseclog_events` (EventCode=4932 OR EventCode=4768)

Please run this search. Does it return results?



The search doesn't return any results.
Okay, so you are telling me that because we forward the events with the Supercharger from all the DCs to a single server, the dashboard will not display additional information?
But shouldn't it be like it? At least we saw it on this Website https://www.logbinder.com/Solutions/ActiveDirectory?x=1


Hi, 

  >Okay, so you are telling me that because we forward the events with the Supercharger from all the DCs to a single server, the dashboard will not display additional information?

   No, it will display events received from DCs.

>The search doesn't return any results.

   Please try this search :

(index=wineventlog OR index=main) eventtype=WinSecLog



The same, no output with that search query.
So bottomline: if I make the configuration and installation like described in that KB https://support.logbinder.com/SuperchargerKB/50135/8-Install-Supercharger-with-Splunk-Light-and-the-Splunk-App-for-LOGbinder , I only see that events are there. But if I want to see how changed what in detail, I have to go through the Winevent-Log myself. Correct?

i

markwolf - 4/30/2019
imrago - 4/30/2019
markwolf - 4/30/2019
imrago - 4/30/2019
markwolf - 4/30/2019
imrago - 4/29/2019
markwolf - 4/29/2019

Hello.

We are testing the Supercharger Application with a Splunk Free Installation.

During the installation and configuration we already recognized missing Options mentioned in the installation manual, compared with the option we had in the System:

The "App context" and the predefined logbinder Index are missing.

So in the moment we can see that data, like changed Users or Groupmemerships, but we cannot see detailed information. The information is in the forwarded Event, we can confirm that in the WinEvent Log. But in the dashboard we don't see these necessary information.

Our system: Windows Server 2016, Supercharger Manager 19.1.4.0, Splunk 7.2.6, Logbinder for Splunk 1.1.12.
Attached the comparison between our possible settings, and the settings in the manual.

Thanks in advance

Mark


Please try to use these instructions :

https://support.logbinder.com/SuperchargerKB/50135/8-Install-Supercharger-with-Splunk-Free-and-the-Splunk-App-for-LOGbinder

I have configured it like that, but still no Information inside the LOGBinderapp in Splunk.
If we look into the source of the Event in the App, we only see the information that something has changed - but to see detailed information we still have to look inside the forwarded Event in the Windows Event Log.
Not a big help if it is not possible to see that in the LOGBinder App in Splunk Sad

In the AD changes dashboards only the events originating from DC are considered. Those events are filtered out based on the domain_controllers lookup file. That file is being generated using a saved search based on :

`select_winseclog_events` (EventCode=4932 OR EventCode=4768)

Please run this search. Does it return results?



The search doesn't return any results.
Okay, so you are telling me that because we forward the events with the Supercharger from all the DCs to a single server, the dashboard will not display additional information?
But shouldn't it be like it? At least we saw it on this Website https://www.logbinder.com/Solutions/ActiveDirectory?x=1


Hi, 

  >Okay, so you are telling me that because we forward the events with the Supercharger from all the DCs to a single server, the dashboard will not display additional information?

   No, it will display events received from DCs.

>The search doesn't return any results.

   Please try this search :

(index=wineventlog OR index=main) eventtype=WinSecLog



The same, no output with that search query.
So bottomline: if I make the configuration and installation like described in that KB https://support.logbinder.com/SuperchargerKB/50135/8-Install-Supercharger-with-Splunk-Light-and-the-Splunk-App-for-LOGbinder , I only see that events are there. But if I want to see how changed what in detail, I have to go through the Winevent-Log myself. Correct?

>The same, no output with that search query.

To which index are the Winevents sent? 

>But if I want to see how changed what in detail, I have to go through the Winevent-Log myself. Correct? 

To see the details of an event is Splunk? In the app if you run the search which is populating the chart in verbose mode then you would see the events based on which the chart was created and you could see the details.




markwolf

imrago - 4/30/2019
markwolf - 4/30/2019
imrago - 4/30/2019
markwolf - 4/30/2019
imrago - 4/30/2019
markwolf - 4/30/2019
imrago - 4/29/2019
markwolf - 4/29/2019

Hello.

We are testing the Supercharger Application with a Splunk Free Installation.

During the installation and configuration we already recognized missing Options mentioned in the installation manual, compared with the option we had in the System:

The "App context" and the predefined logbinder Index are missing.

So in the moment we can see that data, like changed Users or Groupmemerships, but we cannot see detailed information. The information is in the forwarded Event, we can confirm that in the WinEvent Log. But in the dashboard we don't see these necessary information.

Our system: Windows Server 2016, Supercharger Manager 19.1.4.0, Splunk 7.2.6, Logbinder for Splunk 1.1.12.
Attached the comparison between our possible settings, and the settings in the manual.

Thanks in advance

Mark


Please try to use these instructions :

https://support.logbinder.com/SuperchargerKB/50135/8-Install-Supercharger-with-Splunk-Free-and-the-Splunk-App-for-LOGbinder

I have configured it like that, but still no Information inside the LOGBinderapp in Splunk.
If we look into the source of the Event in the App, we only see the information that something has changed - but to see detailed information we still have to look inside the forwarded Event in the Windows Event Log.
Not a big help if it is not possible to see that in the LOGBinder App in Splunk Sad

In the AD changes dashboards only the events originating from DC are considered. Those events are filtered out based on the domain_controllers lookup file. That file is being generated using a saved search based on :

`select_winseclog_events` (EventCode=4932 OR EventCode=4768)

Please run this search. Does it return results?



The search doesn't return any results.
Okay, so you are telling me that because we forward the events with the Supercharger from all the DCs to a single server, the dashboard will not display additional information?
But shouldn't it be like it? At least we saw it on this Website https://www.logbinder.com/Solutions/ActiveDirectory?x=1


Hi, 

  >Okay, so you are telling me that because we forward the events with the Supercharger from all the DCs to a single server, the dashboard will not display additional information?

   No, it will display events received from DCs.

>The search doesn't return any results.

   Please try this search :

(index=wineventlog OR index=main) eventtype=WinSecLog



The same, no output with that search query.
So bottomline: if I make the configuration and installation like described in that KB https://support.logbinder.com/SuperchargerKB/50135/8-Install-Supercharger-with-Splunk-Light-and-the-Splunk-App-for-LOGbinder , I only see that events are there. But if I want to see how changed what in detail, I have to go through the Winevent-Log myself. Correct?

>The same, no output with that search query.

To which index are the Winevents sent? 

>But if I want to see how changed what in detail, I have to go through the Winevent-Log myself. Correct? 

To see the details of an event is Splunk? In the app if you run the search which is populating the chart in verbose mode then you would see the events based on which the chart was created and you could see the details.




The events are sent to the main index

In verbose mode I don't see the necessary detailed information. I can see all the information where the change happened and what the change is about (like added member to a group) - but which user made that change to which useraccount is not visible, even in verbose mode. If I want to see that information, I have to go manually to the WinEvent-Logfile.

i

markwolf - 5/2/2019
imrago - 4/30/2019
markwolf - 4/30/2019
imrago - 4/30/2019
markwolf - 4/30/2019
imrago - 4/30/2019
markwolf - 4/30/2019
imrago - 4/29/2019
markwolf - 4/29/2019

Hello.

We are testing the Supercharger Application with a Splunk Free Installation.

During the installation and configuration we already recognized missing Options mentioned in the installation manual, compared with the option we had in the System:

The "App context" and the predefined logbinder Index are missing.

So in the moment we can see that data, like changed Users or Groupmemerships, but we cannot see detailed information. The information is in the forwarded Event, we can confirm that in the WinEvent Log. But in the dashboard we don't see these necessary information.

Our system: Windows Server 2016, Supercharger Manager 19.1.4.0, Splunk 7.2.6, Logbinder for Splunk 1.1.12.
Attached the comparison between our possible settings, and the settings in the manual.

Thanks in advance

Mark


Please try to use these instructions :

https://support.logbinder.com/SuperchargerKB/50135/8-Install-Supercharger-with-Splunk-Free-and-the-Splunk-App-for-LOGbinder

I have configured it like that, but still no Information inside the LOGBinderapp in Splunk.
If we look into the source of the Event in the App, we only see the information that something has changed - but to see detailed information we still have to look inside the forwarded Event in the Windows Event Log.
Not a big help if it is not possible to see that in the LOGBinder App in Splunk Sad

In the AD changes dashboards only the events originating from DC are considered. Those events are filtered out based on the domain_controllers lookup file. That file is being generated using a saved search based on :

`select_winseclog_events` (EventCode=4932 OR EventCode=4768)

Please run this search. Does it return results?



The search doesn't return any results.
Okay, so you are telling me that because we forward the events with the Supercharger from all the DCs to a single server, the dashboard will not display additional information?
But shouldn't it be like it? At least we saw it on this Website https://www.logbinder.com/Solutions/ActiveDirectory?x=1


Hi, 

  >Okay, so you are telling me that because we forward the events with the Supercharger from all the DCs to a single server, the dashboard will not display additional information?

   No, it will display events received from DCs.

>The search doesn't return any results.

   Please try this search :

(index=wineventlog OR index=main) eventtype=WinSecLog



The same, no output with that search query.
So bottomline: if I make the configuration and installation like described in that KB https://support.logbinder.com/SuperchargerKB/50135/8-Install-Supercharger-with-Splunk-Light-and-the-Splunk-App-for-LOGbinder , I only see that events are there. But if I want to see how changed what in detail, I have to go through the Winevent-Log myself. Correct?

>The same, no output with that search query.

To which index are the Winevents sent? 

>But if I want to see how changed what in detail, I have to go through the Winevent-Log myself. Correct? 

To see the details of an event is Splunk? In the app if you run the search which is populating the chart in verbose mode then you would see the events based on which the chart was created and you could see the details.




The events are sent to the main index

In verbose mode I don't see the necessary detailed information. I can see all the information where the change happened and what the change is about (like added member to a group) - but which user made that change to which useraccount is not visible, even in verbose mode. If I want to see that information, I have to go manually to the WinEvent-Logfile.

Thank you for running the

(index=wineventlog OR index=main) eventtype=WinSecLog

based on the fact that they are sent to the main then probably the eventtype is not set. That eventtype is assuming that this would be part of the events

SourceName="Microsoft Windows security auditing."

to filter out the winsec related events. Is that part of the events in Splunk? Could you sent an anonymised screenshot of one single event in Splunk?







GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search