Based on my further testing splunk-wmi.exe completely ignores the evt_resolve_ad_obj flag. When pulling from Windows 2003, WMI always resolves the GUIDs to Distinguished Names. When pulling from Windows 2008, WMI never resolves the GUIDs to Distinguished Names.
Feature request: Add support for evt_resolve_ad_obj to Splunk WMI.
Hugh's example is a Windows 2008 security log. I've also tested with splunk-4.2.1-98164-x64-release.msi, splunkforwarder-4.2.1-98164-x64-release.msi, and splunkforwarder-4.2-96430-x64-release.msi pulling security logs over WMI from a Windows 2003 Domain Controller. I've also tested with splunk-4.2.1-98164-x64-release.msi pulling security logs over WMI from a Windows 2008 R2 Domain Controller.
I've tried evt_resolve_ad_obj = 1 and evt_resolve_ad_obj = 0 in each of these config stanzas:
wmi.conf
[WMI:DC Security Log]
disabled = 0
event_log_file = Security
evt_resolve_ad_obj = 0
index = default
interval = 5
server = 192.168.0.2
inputs.conf
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
evt_resolve_ad_obj = 0
disabled = 0
[WMI:WinEventLog:Security]
evt_resolve_ad_obj = 0
[WinEventLog:Security]
evt_resolve_ad_obj = 0
In our case, we're specifically interested in pulling raw guids from the Windows Security Log "Object Name" field on 2003 and the Object "GUID" field on 2008. The Windows 2008 default is in line with our goal. But our goal is opposite Hugh's goal of pulling the resolved names, hence the need for a flag to turn it on and off.
... View more