Author: Lee

Splunk_TA_Windows error: DsBind failed (1753)

I started seeing the error DsBind failed (1753) in Splunk’s _internal index shortly after a Domain Controller replacement project. The error was only occurring on two DCs: The first thing I checked was the configuration in inputs.conf. We are using the Splunk_TA_Windows add-on to collect Security Event Logs, with a separate inputs app to deploy to servers. I

Splunking Bash history

I’ve been doing a lot of work recently setting up auditing of Splunk. One of the components of this is ingesting bash history, as most Splunk config changes are made from the command line. I found this great blog post by Duanne Waddle that explains how to enhance and capture bash history, which saved me a

Determine which Runbook Server ran a runbook instance

When you’re troubleshooting an issue with a runbook and you have multiple runbook servers, it can be useful to know which runbook server the runbook was executed on. Recently I found myself in such a situation, and after a quick google search I couldn’t find any method of finding the runbook server. I decided to

Splunk: ERR_CONNECTION_ABORTED on port 8089

After updating the SSL certificate on our Splunk servers, I needed to verify that the new SSL certificate was in place and working. I did this by browsing to each server on port 8089. I was able to connect to all of the servers except one: To check that Splunk was listening on the correct

Issue with EventID field extraction in Windows_TA app

Today’s very short post is about an issue I came across viewing Application event logs that were onboarded using the Windows_TA app. The EventID field wasn’t being populated for most events. When I looked closer at the events, I could see that EventID can be represented in two different ways in different events: <EventID>1530</EventID> <EventID Qualifiers='16384'>16384</EventID> The first

Monitoring SQL in Low Priv environments the smart way

If you have a low priv SQL environment, you’re probably well aware of the pain of configuring and managing the run-as accounts required for SQL management packs. Well, there is a much simpler way to configure the necessary permissions, without using run-as accounts. The solution is to use Service SIDs, a method that Kevin Holman first discovered and blogged

Blank ‘Distribution Point Usage Summary’ reports for several DPs

The ‘Distribution Point Usage Summary’ report provides a useful overview of Distribution Point usage. It can be found in the monitoring pane, under the reporting folder ‘Software Distribution – Content’. When I first started using this report, I noticed that several distribution points were reporting 0 clients. I knew that these distribution points did have clients connecting to

Disable SQL discovery for a group

In my environment the DBA team receive all SQL alerts from SCOM, but there are some SQL installations that the team doesn’t manage. They don’t want to receive alerts for the ‘non-managed’ SQL installations, which are mostly SQL express. However, we still need to monitor everything else on those servers. In addition, any new SQL