Issue with Splunk Integration for Syslog Forwarding

Issue with Splunk Integration for Syslog Forwarding

Issue description  

ADAudit Plus forwards data to the configured Syslog server using network protocols such as UDP or TCP. The error occurs when these communication channels are disrupted due to network restrictions, firewall rules blocking the connection, or incorrect Syslog server configurations. As a result, ADAudit Plus fails to establish a connection with the Syslog server, preventing data from being forwarded successfully.

Prerequisites  

Before troubleshooting, ensure the following:

  • ADAudit Plus is able to establish communication with the Splunk server on the configured HTTP collector port.

  • The correct authentication token is provided in the Splunk configuration page.

Possible causes  

  • The POST URL configured in ADAudit Plus is not accessible from the ADAudit Plus server.
  • The authentication token is not configured properly.

  • Data being forwarded might not be in the required Splunk format.

Resolution  

Step 1: Verify network connectivity  

  1. Verify if the POST URL configured in ADAudit Plus is accessible from the ADAudit Plus server.

Step 2: Verify Splunk HTTP event collector configuration  

  1. From the Splunk UI, check if the HTTP Event Collector is correctly configured.
  2. If not, follow these steps:

    • Click on SettingsData InputsHTTP Event Collector.

    • Click New Token and provide a name (preferably "ADAuditPlus"). Leave other settings as default unless customization is required.

    • After saving, an authentication token will be generated. This token must be provided in the ADAudit Plus configuration.

    • Under Global Settings in the HTTP Event Collector page, enable All tokens.

    • You may customize the HTTP port number and SSL settings as required in Global Settings.

Step 3: Verify log forwarding configuration in ADAudit Plus  

  1. Ensure the details from Step 2 are correctly configured in ADAudit Plus.
  2. Navigate to Admin Tab → SIEM Integration.

  3. Tick the Enable checkbox and select the Splunk radio button.

  4. Enter the Splunk Server name and ensure that it is reachable from the ADAudit Plus Server.

  5. Provide the Splunk HTTP Event Collector port number and protocol.

  6. Enter the HTTP Event Collector token generated in Splunk for ADAudit Plus.

  7. After saving, choose the categories to forward.

Step 4: Verify if data is in SPLUNK-Compatible format  

  1. Navigate to <product_home>\splunk_temp and sort files by date in descending order.
  2. Check older files for syntax errors or empty content.

  3. If syntax does not match "Splunk" format or files are empty, delete them and restart ADAudit Plus service.

  4. Example of correct Splunk syntax:

  5. {"time":1624534057,"event":{"DOMAIN":"ADAuditPlus Authentication","Category":"ADAPTechnicianAudit","ACCOUNT_ID":"1","LOGIN_ID":"1","CLIENT_IP_ADDRESS":"127.0.0.1","EVENT_TYPE":"8","USER_ID":"1","ADDITIONAL_INFO":"-","CLIENT_HOST_NAME":"ADAudit Plus Server","ACTION_ID":"4","ACTION_CATEGORY":"Admin","TIME_GENERATED":"1624534057","ACCESS_TYPE":"8","FORMAT_MESSAGE":"Successfully saved SIEM Integration Categories data","SESSION_ID":"20409","LOGIN_NAME":"admin","SEVERITY":"2"}}

  • SIEM Integration Guide
  • Splunk Integration Documentation

  • General Troubleshooting for Log Forwarding

When and how to reach support  

If the issue persists, contact our support team here

      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                    • Related Articles

                    • Unable to configure Service desk ticketing system integration with ADAudit Plus

                      Issue description Errors may occur while configuring ServiceDesk ticketing system integration with ADAudit Plus, typically due to incorrect configurations or insufficient permissions. Prerequisites ADAudit Plus should meet the system requirements ...

                    • How to integrate ADAudit Plus with SIEM solutions?

                      Objective This article explains how to integrate ADAudit Plus with security information and event management (SIEM) solutions. This integration allows real-time event forwarding, enhanced security monitoring, and streamlined compliance reporting. ...

                    • How do I resolve the No data available issue in Cloud Directory Risk Detection reports?

                      In this article Issue description Prerequisites Possible causes Resolution How to reach support Related topics and articles Issue description When accessing Risk Detection reports for a configured cloud directory (Microsoft Entra ID) tenant in ...

                    • LDAP Report data generation issue

                      In this article: Issue description Prerequisites Possible causes Resolution Related topics and articles How to reach support Issue description In ADAudit Plus, the LDAP report provides insights into authentication and directory access events related ...

                    • How to configure ticketing system integration in ADAudit Plus

                      Objective This article provides step-by-step instructions on integrating a ticketing system with ADAudit Plus. The integration allows ADAudit Plus to create support tickets in external ticketing tools, ensuring seamless incident management. ...

                      Related Products