Month: September 2020

Posted in Active Directory, AWS, Azure, Windows

VPN TUNNEL( V-NET TO V-NET )

Posted on by Akhil

A VPN Tunnel is an encoded connection or a encrypted path way between two different organizations or networks. This private tunnel can give an approach to cloak online activities.

Pre-requisites :

  • Two virtual networks with different Address spaces in different regions.
  • A virtual machine in each virtual network.
  • In the following scenario,
VIRTUAL NETWORK-1VIRTUAL NETWORK-2
Virtual network namev-net-1v-net-2
Address space10.0.0.0/16192.168.0.0/16
Subnetdefault (10.0.0.0/24)default (192.168.0.0/24)
Virtual machinecm-1cm-2
Private IP10.0.0.4192.168.0.4
RegionEast-USCentral-India

Procedure :

  • Create a gateway subnet in both the virtual networks. // Home > Virtual Networks > Select the virtual network > Subnets > Gateway subnet
  • Specify the IP Address range > OK. Carry out the same procedure for the both networks.
  • Create Virtual network gateways for both the virtual networks, which acts as the gateway for the traffic incoming and outgoing.
  • Home > Virtual network gateways > Add > type a valid vgn name (vgn-1) > select the virtual network (v-net-1) > make sure the region is same as that of v-net (v-net-1) > create a new public ip (pip-vgn-1) > review and create. Note : A valid amount of time is taken to get vgn created.
  • Create a second virtual network gateway (vgn-2) for the second virtual network (v-net-2) along side with public IP (pip-vgn-2) for the gateway in the similar process in the same region that of the virtual network (v-net-2).

Configuring VGN :

  • After successful creation of the virtual network gateways resources, go to the first virtual network gateway (vgn-1)
  • Home > Virtual network gateways > connections > Add.
  • Give a valid name and select the second virtual network gateway (vgn-2) and give a pre shared key as shown below.
  • The given shared key is used to establish connection from the other end.
  • Dive back to the second virtual network gateway (vgn-2) and establish a connection to the first virtual network gateway.
  • Home > Virtual network gateway > select the second virtual network gateway (vgn-2) > Connections > Add > create the connection with the same pre shared key.

Note : It takes a few minutes to get the status change from unknown to connected.

Configure the security rules :

  • Configure the security rules of the virtual machines such that the incoming traffic is allowed from the other virtual network as shown below (if required).
  • Similarly configure the security groups of other virtual machine to allow the required traffic from the other virtual network gateway.
  • Check the connection by pinging the private ip of the opposite virtual machine.
Posted in Azure, Migration, Windows

ON-PREMISE SERVER MIGRATION TO CLOUD

Posted on by Akhil

Requirements

  • A configuration server
  • A process server
  • A target server

Procedure

In the following scenario both the configuration and the process server is the same virtualized machine running on a VMWare. A configuration server does act as a communicator between the cloud (Azure) and the on-premise. While the process server act as the gateway for the data replication in the process of migration.

Setting up the configuration server

  • Download the Microsoft azure site-recovery configuration server file from here.
  • Import the downloaded configuration server onto the VMWare workstation.
  • Open the Azure site recovery configuration manager on the desktop and follow the onscreen commands starting with the server name.
  • Sign-in to the Azure account when popped up and restart the server for the changes to take affect.
  • On restart a setup wizard opens in the local browser of the configuration server.
  • Make sure the configuration server is connected to internet.
  • Configure the NIC by selecting the NIC to continue.
  • Create a recovery service vault in the azure account and note the details.
  • Sign in to the account and select the subscription along with the created recovery service vault.
  • Accept the third party license agreement and download and install the required third party pre-requisites.
  • Follow the on screen commands to configure vCentre server.
  • Add vCentre server and Add a virtual machine credentials manually as shown below and finalize the configuration.

Configuring configuration server

  • Dive back to the created recovery service vault in the azure account.
  • Recovery service vault > Site recovery > VMware machines to azure > prepare infrastructure > deployment planning (optional) > configuration server should automatically selected for the source configuration server. > Add a vCentre server > Define the target server as shown below > select the host account credentials that are given in the previous step > OK > next.
  • A good amount of time is taken by azure to contact the target server through configuration server.
  • Create a virtual network to ensure compatibility, under same subscription and region that of the recovery service vault.
  • Follow to the target settings where the created network should pop up under the subscription and the resource manager.
  • Create a new replication policy > define the policy name > change the values as shown below. These values can be changed as per the requirement, but will effect, how efficiently the storage is used.
  • Review the configuration and prepare the infrastructure.
  • Create a storage account in the same region that of the recovery vault for the server to get migrated and note the details.

Adding an on-premise server to migration

  • Recovery service vault > site recovery > enable replication (VMware machines to Azure​) > select the configuration server and the vCentre server > check the target environment is perfect > select the target server > select the credentials that are given during the initial configuration and select the created storage account > create the server name > select the replication policy > enable replication.
  • Make sure firewall is enabled in both the configuration server as well as the target server.
  • The process of replication takes a valid amount of time to get completed.
  • The status of the replication can be checked in recovery service vault > replicated items.
  • After a long time the server starts pushing data into the recovery service vault which can be confirmed by the status of synchronization.
  • Once the synchronization completed, run a test failover to validate the replication and disaster recovery strategy without any data loss and downtime.
  • Click on the replicated item (once the status changes to protected) > test failover > choose the latest recovery point and created vnet > OK.
  • The test failover automatically creates the virtual machine in azure and start the instance.
  • This can be confirmed by checking the virtual machines blade in azure.

Accessing vm in Azure

  • The migrated virtual machine still does not have a public ip, which should be assigned manually.
  • Search for public IP Addresses in the search tab > create a public IP in the same region.
  • Resource group (virtual machine) > search for network interface resource > ip configurations > click on the network interface > associate > choose the created ip in the drop out > save changes.
  • The public IP is assigned to the virtual machine but there are no security groups yet.
  • Search for network security groups in search tab and create a NSG for the virtual machine in the same region as of vm.
  • Open the created NSG resource > Network interfaces > Associate > select the Network interface of the virtual machine.
  • Open the required ports in the associated NSG, like RDP etc. to get access to the virtual machine.
  • A certain amount of time is taken by azure to allow access remotely. Get connected to the virtual machine with the same credentials.

Cleanup test failover

A simple process to delete the complete migration related resources including the migrated virtual machine.
Posted in Active Directory, Migration, Windows

PASSWORD MIGRATION USING ADMT

Posted on by Akhil

Prerequisites:

SOURCE DOMAIN (sd.com)TARGET DOMAIN (td.com)
Domain controller (S-DC)Domain controller (T-DC)
ADMT-Server (T-ADMT)
Two-way trust b\w domainsTwo-way trust b\w domains

Procedure:

Step 1 :

  • Download both sql server and ADMT tool in the ADMT-Server (T-ADMT).
  • Install sql server by following default onscreen commands on ADMT-Server (T-ADMT).
  • Install ADMT tool in the server mentioning the previously installed sql instance.
  • Create encryption key on the ADMT-Server (T-ADMT) using following command in the command prompt.
admt key /option:create /sourcedomain:source.local /keyfile:"c:\KEY.pes" /keypassword:*
  • The source domain and the key password need to be changed as per the requirement as shown below.
  • Copy the created key to the source domain controller (S-DC).

Step 2 :

  • Download and install PES (Password export server) onto the source domain controller (S-DC).
  • Choose the key that is created in the previous step, when it is required during the installation.
  • Enter the given password for the confirmation and to install.
  • Choose Log on as and enter the user credentials of Source Domain Administrator or Target Domain Administrator as shown below and restart the server (S-DC).
  • Start the password export server service manually in the services of source domain controller (S-DC)

Step 3 :

  • Add the target domain administrator (TD\Azureuser) in the Administrators (built-in) group of source domain (sd.com)
  • Similarly add source domain administrator (SD\Azureuser) in the Administrators (built-in) group of target domain (td.com)

Step 4 :

  • Open the ADMT tool in the target ADMT-Server (T-ADMT) and run the ADMT tool.
  • Right-click on the Active Directory Migration tool > User Account Migration Wizard > define the source and target domain details as shown.
  • Select users from domain > Add > type the user name > select the users > next > select the target OU > migrate passwords > target same as source > follow the onscreen commands with the required properties to complete the migration of users along with their passwords.
  • Migration process status will be changed to completed with no errors as the following.
Posted in Active Directory, logs, Windows

SPLUNK DEPLOYMENT FOR WINDOWS ENVIRONMENT – 2

Posted on by Akhil

Installing and configuration of universal forwarders

step-1:

  • Download the executable file of splunk universal forwarder in the universal forwarder server (UF-1)
  • Copy it to every windows host that need to be monitored.
  • Right click the executable file to install > check the check this box to accept the license agreement > Customize options > next > next > make sure Local system is enabled and click next > next > create the default administrative cred for the local server > Ip_Address of the deployment-server or the indexer and default 8089 port no. > next > install.

step-2:

  • In the deployment server (Indexer), open the splunk enterprise in the browser click Settings > Forwarder management > clients (UF-1 should be visible) > server class > Edit (Edit Clients) > UF-1 (in the include list) > preview > save.

step-3:

  • Download the splunk add on app for windows from here.
  • Extract the splunk app for windows infrastructure (Splunk_TA_windows) and create a local directory.
  • In the local directory create a conf file named inputs.conf with the following text.
# Copyright (C) 2020 Splunk Inc. All Rights Reserved.
# DO NOT EDIT THIS FILE!
# Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
# into ../local and edit there.
#



###### OS Logs ######
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
index = wineventlog

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=true
index = wineventlog

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=true
index = wineventlog


###### Forwarded WinEventLogs (WEF) ######
[WinEventLog://ForwardedEvents]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false.
renderXml=true
host=WinEventLogForwardHost
index = wineventlog


###### WinEventLog Inputs for Active Directory ######

## Application and Services Logs - DFS Replication
[WinEventLog://DFS Replication]
disabled = 0
renderXml=true
index = wineventlog
 
## Application and Services Logs - Directory Service
[WinEventLog://Directory Service]
disabled = 0
renderXml=true
index = wineventlog
 
## Application and Services Logs - File Replication Service
[WinEventLog://File Replication Service]
disabled = 0
renderXml=true
index = wineventlog
 
## Application and Services Logs - Key Management Service
[WinEventLog://Key Management Service]
disabled = 0
renderXml=true
index = wineventlog


###### WinEventLog Inputs for DNS ######
[WinEventLog://DNS Server]
disabled = 0
renderXml=true
index = wineventlog


###### DHCP ######
[monitor://$WINDIR\System32\DHCP]
disabled = 0
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
sourcetype = DhcpSrvLog
index = windows


###### Windows Update Log ######
## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2
[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
index = windows

## Enable below powershell and monitor stanzas to get WindowsUpdate.log for Windows 10 and Server 2016
## Below stanza will automatically generate WindowsUpdate.log daily
[powershell://generate_windows_update_logs]
script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\generate_windows_update_logs.ps1"
schedule = 0 */24 * * *
disabled = 0
index = msad

## Below stanza will monitor the generated WindowsUpdate.log in Windows 10 and Server 2016
[monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
index = windows

###### Monitor Inputs for Active Directory ######
[monitor://$WINDIR\debug\netlogon.log]
sourcetype=MSAD:NT6:Netlogon
disabled = 0
index = msad

###### Monitor Inputs for DNS ######
[MonitorNoHandle://$WINDIR\System32\Dns\dns.log]
sourcetype=MSAD:NT6:DNS
disabled = 0
index = msad


###### Scripted Input (See also wmi.conf)
[script://.\bin\win_listening_ports.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:ListeningPorts
index = windows

[script://.\bin\win_installed_apps.bat]
disabled = 0
## Run once per day
interval = 86400
sourcetype = Script:InstalledApps
index = windows

[script://.\bin\win_timesync_status.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncStatus
index = windows

[script://.\bin\win_timesync_configuration.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncConfiguration
index = windows

[script://.\bin\netsh_address.bat]
disabled = 0
## Run once per day
interval = 86400
sourcetype = Script:NetworkConfiguration

###### Scripted/Powershell Mod inputs Active Directory ######

## Replication Information NT6
[script://.\bin\runpowershell.cmd nt6-repl-stat.ps1]
source=Powershell
sourcetype=MSAD:NT6:Replication
interval=300
disabled = 0
index = msad
 
## Replication Information 2012r2 and 2016
[powershell://Replication-Stats]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-repl-stats.ps1"
schedule = 0 */5 * ? * *
source = Powershell
sourcetype=MSAD:NT6:Replication
disabled = 0
index = msad
 
## Health and Topology Information NT6
[script://.\bin\runpowershell.cmd nt6-health.ps1]
source=Powershell
sourcetype=MSAD:NT6:Health
interval=300
disabled = 0
index = msad
 
## Health and Topology Information 2012r2 and 2016
[powershell://AD-Health]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-health.ps1"
schedule = 0 */5 * ? * *
source=Powershell
sourcetype=MSAD:NT6:Health
disabled = 0
index = msad 
 
## Site, Site Link and Subnet Information NT6
[script://.\bin\runpowershell.cmd nt6-siteinfo.ps1]
source=Powershell
sourcetype=MSAD:NT6:SiteInfo
interval=3600
disabled = 0
index = msad
 
## Site, Site Link and Subnet Information 2012r2 and 2016
[powershell://Siteinfo]
script = & "$SplunkHome\etc\apps\Splunk_TA_windows\bin\Invoke-MonitoredScript.ps1" -Command ".\powershell\2012r2-siteinfo.ps1"
schedule = 0 15 * ? * *
source = Powershell
sourcetype=MSAD:NT6:SiteInfo
disabled = 0
index = msad


##### Scripted Inputs for DNS #####

## DNS Zone Information Collection
[script://.\bin\runpowershell.cmd dns-zoneinfo.ps1]
source=Powershell
sourcetype=MSAD:NT6:DNS-Zone-Information
interval=3600
disabled = 0
index = msad
 
## DNS Health Information Collection
[script://.\bin\runpowershell.cmd dns-health.ps1]
source=Powershell
sourcetype=MSAD:NT6:DNS-Health
interval=3600
disabled = 0
index = msad


###### Host monitoring ######
[WinHostMon://Computer]
interval = 600
disabled = 0
type = Computer
index = windows

[WinHostMon://Process]
interval = 600
disabled = 0
type = Process
index = windows

[WinHostMon://Processor]
interval = 600
disabled = 0
type = Processor
index = windows

[WinHostMon://NetworkAdapter]
interval = 600
disabled = 0
type = NetworkAdapter
index = windows

[WinHostMon://Service]
interval = 600
disabled = 0
type = Service
index = windows

[WinHostMon://OperatingSystem]
interval = 600
disabled = 0
type = OperatingSystem
index = windows

[WinHostMon://Disk]
interval = 600
disabled = 0
type = Disk
index = windows

[WinHostMon://Driver]
interval = 600
disabled = 0
type = Driver
index = windows

[WinHostMon://Roles]
interval = 600
disabled = 0
type = Roles
index = windows

###### Print monitoring ######
[WinPrintMon://printer]
type = printer
interval = 600
baseline = 1
disabled = 0
index = windows

[WinPrintMon://driver]
type = driver
interval = 600
baseline = 1
disabled = 0
index = windows

[WinPrintMon://port]
type = port
interval = 600
baseline = 1
disabled = 0
index = windows

###### Network monitoring ######
[WinNetMon://inbound]
direction = inbound
disabled = 0
index = windows

[WinNetMon://outbound]
direction = outbound
disabled = 0
index = windows

###### Splunk 5.0+ Performance Counters ######
## CPU
[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
instances = *
interval = 10
mode = single
object = Processor
useEnglishOnly=true
index = perfmon

## Logical Disk
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 10
mode = single
object = LogicalDisk
useEnglishOnly=true
index = perfmon

## Physical Disk
[perfmon://PhysicalDisk]
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 10
mode = single
object = PhysicalDisk
useEnglishOnly=true
index = perfmon

## Memory
[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 0
interval = 10
mode = single
object = Memory
useEnglishOnly=true
index = perfmon

## Network
[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size  
disabled = 0
instances = *
interval = 10
mode = single
object = Network Interface
useEnglishOnly=true
index = perfmon

## Process
[perfmon://Process]
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 0
instances = *
interval = 10
mode = single
object = Process
useEnglishOnly=true
index = perfmon

## ProcessInformation
[perfmon://ProcessorInformation]
counters = % Processor Time; Processor Frequency
disabled = 0
instances = *
interval = 10
mode = single
object = Processor Information
useEnglishOnly=true
index = perfmon

## System
[perfmon://System]
counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
disabled = 0
instances = *
interval = 10
mode = single
object = System
useEnglishOnly=true
index = perfmon


###### Perfmon Inputs from TA-AD/TA-DNS ######
[perfmon://Processor]
object = Processor
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
instances = *
interval = 10
disabled = 0
mode = single
useEnglishOnly=true
index = perfmon
 
[perfmon://Network_Interface]
object = Network Interface
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size 
instances = *
interval = 10
disabled = 0
mode = single
useEnglishOnly=true
index = perfmon
 
[perfmon://DFS_Replicated_Folders]
object = DFS Replicated Folders
counters = Bandwidth Savings Using DFS Replication; RDC Bytes Received; RDC Compressed Size of Files Received; RDC Size of Files Received; RDC Number of Files Received; Compressed Size of Files Received; Size of Files Received; Total Files Received; Deleted Space In Use; Deleted Bytes Cleaned up; Deleted Files Cleaned up; Deleted Bytes Generated; Deleted Files Generated; Updates Dropped; File Installs Retried; File Installs Succeeded; Conflict Folder Cleanups Completed; Conflict Space In Use; Conflict Bytes Cleaned up; Conflict Files Cleaned up; Conflict Bytes Generated; Conflict Files Generated; Staging Space In Use; Staging Bytes Cleaned up; Staging Files Cleaned up; Staging Bytes Generated; Staging Files Generated
instances = *
interval = 30
disabled = 0
mode = single
useEnglishOnly=true
index = perfmon
 
[perfmon://NTDS]
object = NTDS
counters = DRA Inbound Properties Total/sec; AB Browses/sec; DRA Inbound Objects Applied/sec; DS Threads in Use; AB Client Sessions; DRA Pending Replication Synchronizations; DRA Inbound Object Updates Remaining in Packet; DS Security Descriptor sub-operations/sec; DS Security Descriptor Propagations Events; LDAP Client Sessions; LDAP Active Threads; LDAP Writes/sec; LDAP Searches/sec; DRA Outbound Objects/sec; DRA Outbound Properties/sec; DRA Inbound Values Total/sec; DRA Sync Requests Made; DRA Sync Requests Successful; DRA Sync Failures on Schema Mismatch; DRA Inbound Objects/sec; DRA Inbound Properties Applied/sec; DRA Inbound Properties Filtered/sec; DS Monitor List Size; DS Notify Queue Size; LDAP UDP operations/sec; DS Search sub-operations/sec; DS Name Cache hit rate; DRA Highest USN Issued (Low part); DRA Highest USN Issued (High part); DRA Highest USN Committed (Low part); DRA Highest USN Committed (High part); DS % Writes from SAM; DS % Writes from DRA; DS % Writes from LDAP; DS % Writes from LSA; DS % Writes from KCC; DS % Writes from NSPI; DS % Writes Other; DS Directory Writes/sec; DS % Searches from SAM; DS % Searches from DRA; DS % Searches from LDAP; DS % Searches from LSA; DS % Searches from KCC; DS % Searches from NSPI; DS % Searches Other; DS Directory Searches/sec; DS % Reads from SAM; DS % Reads from DRA; DRA Inbound Values (DNs only)/sec; DRA Inbound Objects Filtered/sec; DS % Reads from LSA; DS % Reads from KCC; DS % Reads from NSPI; DS % Reads Other; DS Directory Reads/sec; LDAP Successful Binds/sec; LDAP Bind Time; SAM Successful Computer Creations/sec: Includes all requests; SAM Machine Creation Attempts/sec; SAM Successful User Creations/sec; SAM User Creation Attempts/sec; SAM Password Changes/sec; SAM Membership Changes/sec; SAM Display Information Queries/sec; SAM Enumerations/sec; SAM Transitive Membership Evaluations/sec; SAM Non-Transitive Membership Evaluations/sec; SAM Domain Local Group Membership Evaluations/sec; SAM Universal Group Membership Evaluations/sec; SAM Global Group Membership Evaluations/sec; SAM GC Evaluations/sec; DRA Inbound Full Sync Objects Remaining; DRA Inbound Bytes Total/sec; DRA Inbound Bytes Not Compressed (Within Site)/sec; DRA Inbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Inbound Bytes Compressed (Between Sites, After Compression)/sec; DRA Outbound Bytes Total/sec; DRA Outbound Bytes Not Compressed (Within Site)/sec; DRA Outbound Bytes Compressed (Between Sites, Before Compression)/sec; DRA Outbound Bytes Compressed (Between Sites, After Compression)/sec; DS Client Binds/sec; DS Server Binds/sec; DS Client Name Translations/sec; DS Server Name Translations/sec; DS Security Descriptor Propagator Runtime Queue; DS Security Descriptor Propagator Average Exclusion Time; DRA Outbound Objects Filtered/sec; DRA Outbound Values Total/sec; DRA Outbound Values (DNs only)/sec; AB ANR/sec; AB Property Reads/sec; AB Searches/sec; AB Matches/sec; AB Proxy Lookups/sec; ATQ Threads Total; ATQ Threads LDAP; ATQ Threads Other; DRA Inbound Bytes Total Since Boot; DRA Inbound Bytes Not Compressed (Within Site) Since Boot; DRA Inbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Inbound Bytes Compressed (Between Sites, After Compression) Since Boot; DRA Outbound Bytes Total Since Boot; DRA Outbound Bytes Not Compressed (Within Site) Since Boot; DRA Outbound Bytes Compressed (Between Sites, Before Compression) Since Boot; DRA Outbound Bytes Compressed (Between Sites, After Compression) Since Boot; LDAP New Connections/sec; LDAP Closed Connections/sec; LDAP New SSL Connections/sec; DRA Pending Replication Operations; DRA Threads Getting NC Changes; DRA Threads Getting NC Changes Holding Semaphore; DRA Inbound Link Value Updates Remaining in Packet; DRA Inbound Total Updates Remaining in Packet; DS % Writes from NTDSAPI; DS % Searches from NTDSAPI; DS % Reads from NTDSAPI; SAM Account Group Evaluation Latency; SAM Resource Group Evaluation Latency; ATQ Outstanding Queued Requests; ATQ Request Latency; ATQ Estimated Queue Delay; Tombstones Garbage Collected/sec; Phantoms Cleaned/sec; Link Values Cleaned/sec; Tombstones Visited/sec; Phantoms Visited/sec; NTLM Binds/sec; Negotiated Binds/sec; Digest Binds/sec; Simple Binds/sec; External Binds/sec; Fast Binds/sec; Base searches/sec; Subtree searches/sec; Onelevel searches/sec; Database adds/sec; Database modifys/sec; Database deletes/sec; Database recycles/sec; Approximate highest DNT; Transitive operations/sec; Transitive suboperations/sec; Transitive operations milliseconds run   
interval = 10
disabled = 0
mode = single
useEnglishOnly=true
index = perfmon

[perfmon://DNS]
object = DNS
counters = Total Query Received; Total Query Received/sec; UDP Query Received; UDP Query Received/sec; TCP Query Received; TCP Query Received/sec; Total Response Sent; Total Response Sent/sec; UDP Response Sent; UDP Response Sent/sec; TCP Response Sent; TCP Response Sent/sec; Recursive Queries; Recursive Queries/sec; Recursive Send TimeOuts; Recursive TimeOut/sec; Recursive Query Failure; Recursive Query Failure/sec; Notify Sent; Zone Transfer Request Received; Zone Transfer Success; Zone Transfer Failure; AXFR Request Received; AXFR Success Sent; IXFR Request Received; IXFR Success Sent; Notify Received; Zone Transfer SOA Request Sent; AXFR Request Sent; AXFR Response Received; AXFR Success Received; IXFR Request Sent; IXFR Response Received; IXFR Success Received; IXFR UDP Success Received; IXFR TCP Success Received; WINS Lookup Received; WINS Lookup Received/sec; WINS Response Sent; WINS Response Sent/sec; WINS Reverse Lookup Received; WINS Reverse Lookup Received/sec; WINS Reverse Response Sent; WINS Reverse Response Sent/sec; Dynamic Update Received; Dynamic Update Received/sec; Dynamic Update NoOperation; Dynamic Update NoOperation/sec; Dynamic Update Written to Database; Dynamic Update Written to Database/sec; Dynamic Update Rejected; Dynamic Update TimeOuts; Dynamic Update Queued; Secure Update Received; Secure Update Received/sec; Secure Update Failure; Database Node Memory; Record Flow Memory; Caching Memory; UDP Message Memory; TCP Message Memory; Nbstat Memory; Unmatched Responses Received 
interval = 10
disabled = 0
mode = single
useEnglishOnly=true
index = perfmon


[admon://default]
disabled = 0
monitorSubtree = 1
index = windows


[WinRegMon://default]
disabled = 0
hive = .*
proc = .*
type = rename|set|delete|create
index = windows

[WinRegMon://hkcu_run]
disabled = 0
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

[WinRegMon://hklm_run]
disabled = 0
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows
  • Move the entire Splunk_TA_windows folder to C:\Program Files\Splunk\etc\deployment-apps on the deployment server.
  • Reload the deploy server using following command in the command prompt.
> cd \Program Files\Splunk\bin
> .\splunk reload deploy-server
  • From the browser in the deployment server, logon back to splunk enterprise and follow the steps
  • Settings > Forwarder management > Apps > Splunk_TA_Windows > Edit > (+) Add the Universal_Forwarders server class.
Posted in Active Directory, logs, Windows

SPLUNK DEPLOYMENT FOR WINDOWS ENVIRONMENT – 1

Posted on by Akhil

Pre-requisites:

Setup of Active directory with 3 servers that includes,

  • Domain controller (DC-1)
  • Indexer or Deployment server (Indexer)
  • Universal forwarder (UF-1)

Make sure that all the servers are intact and are in contact with the domain controller with no issues.

Installing and configuring deployment server or indexer

step-1:

  • Download the splunk software from here.
  • Run the downloaded executable file, check the check this box to accept the license agreement and click next.
  • Create the account credentials and follow the onscreen commands to install the splunk.

step-2:

  • Proceed to download the splunk app for windows infrastructure.
  • Create a new directory named local in the folder of splunk_app_windows_infrastructure.
  • Create a new conf file indexes.conf with the following text in the local directory using notepad.
[msad]
homePath = $SPLUNK_DB/msad/db
coldPath = $SPLUNK_DB/msad/colddb
thawedPath = $SPLUNK_DB/msad/thaweddb
maxDataSize = 10000
maxHotBuckets = 10

[perfmon]
homePath = $SPLUNK_DB/perfmon/db
coldPath = $SPLUNK_DB/perfmon/colddb
thawedPath = $SPLUNK_DB/perfmon/thaweddb
maxDataSize = 10000
maxHotBuckets = 10

[wineventlog]
homePath = $SPLUNK_DB/wineventlog/db
coldPath = $SPLUNK_DB/wineventlog/colddb
thawedPath = $SPLUNK_DB/wineventlog/thaweddb
maxDataSize = 10000
maxHotBuckets = 10

[windows]
homePath = $SPLUNK_DB/windows/db
coldPath = $SPLUNK_DB/windows/colddb
thawedPath = $SPLUNK_DB/windows/thaweddb
maxDataSize = 10000
maxHotBuckets = 10
  • Copy the entire folder splunk_app_windows_infrastructure to C:\Program Files\Splunk\etc\apps directory.
  • Restart the splunk application through command line using the following command
cd\Program Files\Splunk\bin
.\splunk restart

step-3:

  • Login back to the splunk enterprise from the browser (localhost:8000/) on the deployment server.
  • Settings > Forwarding and Receiving > Configure receiving > Add New > 9997 > save.

step-4 :

  • In the browser of the deployment server create a new application in Apps > Manage apps > Create App
NAMESend_to_indexer
FOLDER NAMEsendtoindexer
VERSION1.0.0
VISIBLENo
AUTHOR–anything–
TEMPLATEbarebones
  • Click save.
  • Create a conf file named outputs.conf with the following text in C:\Program Files\Splunk\etc\apps\sendtoindexer\local directory of deployment server.
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = <indexer_hostname_or_ip_address>:<9997>

[tcpout-server://<indexer_hostname_or_ip_address>:<9997>]
  • Indexer hostname or the ip address of the deployment server need to be replaced in the above context as shown below.
  • Move the sendtoindexer app from C:\Program Files\Splunk\etc\apps to C:\Program Files\Splunk\etc\deployment apps.
  • Reload the deploy server using following commands,
cd\Program Files\Splunk\bin
.\splunk reload deploy-server
  • In the browser of the deployment server direct to Settings > Forwarder Management > Apps.
  • Click Edit > (+) Add new server class > Universal_Forwarder > Save.

Adding data of the local server

  • In the Splunk Enterprise of the deployment server click Splunk_enterprise > Add data > Monitor > Local event logs > Add all and click next > Name the desired host field value > review and submit.
  • In the Apps > searching & reporting > data summary, the host is found and can be monitored from now.

Continuation….

Note: Make sure all the required ports are opened in all the three servers with no block of the windows firewall.
Posted in Active Directory, Migration, O365

MAILBOX MIGRATION (G-MAIL TO O365)

Posted on by Akhil

Migration of the mailboxes from G-mail to O365 does need a few pre-requisites like,

  1. Enabling IMAP protocol.
  2. Selecting out the labels that need to be visible for the IMAP migration.
  3. Allowing Less Secure App Access to establish a vulnerable connection between O365 and G-mail.

Enabling IMAP protocol

  • For enabling the IMAP, follow the steps,
  • Open G-mail > settings > Forwarding and POP/IMAP > Enable IMAP in IMAP access tab.

Labels

  • Selection of labels enables the third party tools to both differentiate between the items that have migrated and also detect the items in the mailbox.
  • Show or hide the desired items that are involved in the process of migration.
  • Removing a label will not remove the messages with that label.

Less Secure App Access

  • TURNING ON the less secure app access will make the account vulnerable which in-turn makes the third party tools to access the account. (what precisely is required)
  • Open G-mail > Manage your google account > Security > Turn on Less secure app access.

Migration process

Dive to the O365 portal with the login credentials of the Exchange administrator.

  • Admin > Show all > Exchange > recipients > migration > more > migration endpoints.
  • Add a new migration end point > IMAP > (imap.gmail.com) imap server name > next > (imap.gmail.com) imap end point name > (20) maximum concurrent migrations > (10) maximum concurrent incremental syncs > new
  • Divert back to recipients > migration > migration to exchange online (plus sign) > IMAP migration > Choose the CSV file with the following format as shown > follow the onscreen commands to successfully start the migration process.
  • A good amount of time is taken by the O365 individually to complete the migration process depending on the size of the mailbox that need to be migrated.
Email addressUsernamePassword
Target email addressSource email address (Gmail)Source mail address password (Gmail)