As i understand it, Splunk is able to resolve SIDs in Windows Security Events. The documentation around this is not very clear, but I assume Splunk essentially replaces the SID in the event with the resolved name?
We have many forwarders (lightweight) deployed on domain controllers that are version 4.0.9 and higher, however the SID does not seem to be getting resolved. It is my understanding from the documentation that windows security events automatically have evt_resolve_ad_obj = 1
set by default and that there is no need to specify this in the inputs.conf on the forwarder? We are not using the windows app in case that makes a difference.
The documentation mentions evt_dc_name
and/or evt_dns_name
attributes - do these need to be set for this to work?
Hoping that someone can help and clarify the situation around this and also how it works.
Thanks
The evt_resolve_ad_obj setting is defined in the windows app inside the [WinEventLog:Security] stanza from inputs.conf. If you don't have the windows app then it won't take effect.
All you need to do is add evt_resolve_ad_obj = 1 to the input for the security event log whereever you've defined it.
As for evt_dc_name & evt_dns_name attributes, you don't have to specify them. Splunk will choose a domain controller on it's own. You only use those settings if you want to specify which domain controller it uses.
Which you're probably going to need to do if you have multiple sites across slow WAN links. Splunk doesn't use AD site information to pick a local domain controller so a light forwarder in New York may use the domain controller in London for example. This greatly slows down indexing so be careful.
The evt_resolve_ad_obj setting is defined in the windows app inside the [WinEventLog:Security] stanza from inputs.conf. If you don't have the windows app then it won't take effect.
All you need to do is add evt_resolve_ad_obj = 1 to the input for the security event log whereever you've defined it.
As for evt_dc_name & evt_dns_name attributes, you don't have to specify them. Splunk will choose a domain controller on it's own. You only use those settings if you want to specify which domain controller it uses.
Which you're probably going to need to do if you have multiple sites across slow WAN links. Splunk doesn't use AD site information to pick a local domain controller so a light forwarder in New York may use the domain controller in London for example. This greatly slows down indexing so be careful.
I was told this issue was fixed in Splunk 4.3 but I haven't tested as I'm still running an older release.
Do you know if ENH-4128 got implemented? I'm seeing some forwarders have DsBind errors and am wondering if manually setting evt_dns_name could help these errors go away?
No problem.
By the way, I've logged enhancement request (ENH-4128) to have Splunk automatically choose a domain controller in the same site.
Many thanks for the clarification