This is what I get from universal forwarder :
Message=Security Enabled Global Group Member Removed:
Member Name: -
Member ID: %{S-1-5-21-1659004503-813497703-682003330-1006}
Target Account Name: None
Target Domain: TEST-4
Target Account ID: %{S-1-5-21-1659004503-813497703-682003330-513}
Caller User Name: test
Caller Domain: TEST-4
Caller Logon ID: (0x0,0x111E1)
Privileges: -
This is a same event but see in Event Viewer :
Description:
Security Enabled Local Group Member Removed:
Member Name: -
Member ID: TEST-4\temp1
Target Account Name: Administrators
Target Domain: Builtin
Target Account ID: BUILTIN\Administrators
Caller User Name: test
Caller Domain: TEST-4
Caller Logon ID: (0x0,0x111E1)
Privileges: -
You will see that some fields are different e.g. Member ID, Target Account Name,Target Domain,Target Account ID.
How can I config splunk forwarder to get the same data as I see in event viewer?
Why forwarder change data before send to indexer?
... View more