Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pick your local domain controller for event log SID translation?

javiergn
SplunkTrust
SplunkTrust
‎10-08-2014 08:23 AM

Hi,

We recently deployed the following config to 500 Windows Universal Forwarders:

[WinEventLog://Security]
disabled = 0
start_from = oldest
evt_resolve_ad_obj = 1

And that almost killed our primary domain controller. For some reason all the forwarders tried to query this PDC instead of contacting their local domain controller so we have disabled the SID translation for now.

Couple of questions:

  • Is there any way to specify evt_dc_name in such a way that the universal fw uses its local domain controller instead of going to the PDC?
  • Could we potentially specify "evt_dc_name = localhost" to force the universal forwarders to translate SIDs locally? Will that work?
  • I know I could deploy different config files per sites simply by using whitelists and machine names, but this is not 100% reliable, how do you guys deal with event logs and sid translation in large infrastructures?
  • Finally, is there any way to tell the universal forwarders to cache SID previously translated for a certain period of time? it seems to me like a waster of resources to be querying the domain controllers all the time.

Thanks,
Javier

Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
SplunkTrust
SplunkTrust
‎11-23-2016 02:07 AM

Actually yes. There are plenty of options now available since 6.4:

https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf#Windows_Event_Log_Monitor

For example:

evt_resolve_ad_ds =[auto|PDC]
* How the input should choose the domain controller to bind for
  AD resolution.
* This setting is optional.
* If set to PDC, the input only contacts the primary domain controller
  to resolve AD objects.
* If set to auto, the input lets Windows chose the best domain controller.
* If you set the 'evt_dc_name' setting, the input ignores this setting.
* Defaults to 'auto' (let Windows determine the domain controller to use

evt_ad_cache_disabled = [0|1]
* Enables or disables the AD object cache.
* Defaults to 0.

evt_sid_cache_disabled = [0|1]
* Enables or disables account Security IDentifier (SID) cache.
* This setting is global. It affects all Windows Event Log stanzas.
* Defaults to 0.

View solution in original post

Reply
Solved! Jump to solution
Solution

javiergn
SplunkTrust
SplunkTrust
‎11-23-2016 02:07 AM

Actually yes. There are plenty of options now available since 6.4:

https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf#Windows_Event_Log_Monitor

For example:

evt_resolve_ad_ds =[auto|PDC]
* How the input should choose the domain controller to bind for
  AD resolution.
* This setting is optional.
* If set to PDC, the input only contacts the primary domain controller
  to resolve AD objects.
* If set to auto, the input lets Windows chose the best domain controller.
* If you set the 'evt_dc_name' setting, the input ignores this setting.
* Defaults to 'auto' (let Windows determine the domain controller to use

evt_ad_cache_disabled = [0|1]
* Enables or disables the AD object cache.
* Defaults to 0.

evt_sid_cache_disabled = [0|1]
* Enables or disables account Security IDentifier (SID) cache.
* This setting is global. It affects all Windows Event Log stanzas.
* Defaults to 0.
Reply
Solved! Jump to solution

alemarzu
Motivator
‎11-22-2016 10:25 AM

Any answer/solution on this Javier ?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...