<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Windows Event Logs: renderXml and evt_resolve_ad_obj in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Why-the-error-Windows-Event-Logs-renderXml-and-evt-resolve-ad/m-p/652722#M110783</link>
    <description>&lt;P&gt;&lt;SPAN&gt;I've encountered a similar issue with the Microsoft-Windows-DNS-Client/Operational log. I wonder if you've found a solution for this case. If you have, could you please share it with me?&lt;/SPAN&gt;&lt;/P&gt;&lt;DIV class=""&gt;&lt;IMG border="0" /&gt;&lt;/DIV&gt;</description>
    <pubDate>Tue, 01 Aug 2023 14:48:04 GMT</pubDate>
    <dc:creator>Wanki</dc:creator>
    <dc:date>2023-08-01T14:48:04Z</dc:date>
    <item>
      <title>Why the error: Windows Event Logs: renderXml and evt_resolve_ad_obj?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-the-error-Windows-Event-Logs-renderXml-and-evt-resolve-ad/m-p/625848#M107544</link>
      <description>&lt;P&gt;I am deploying the Splunk Windows TA to my UFs.&amp;nbsp; My test case if UF&amp;nbsp;&lt;SPAN&gt;8.2.9 and Splunk_TA_windows 8.5.&lt;/SPAN&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;When I create inputs that have both&lt;STRONG&gt; renderXml=true&lt;/STRONG&gt; and&amp;nbsp;&lt;SPAN&gt;&lt;STRONG&gt;evt_resolve_ad_obj = 1&lt;/STRONG&gt;, I am not receiving the SID translations. However, it works sending back standard events instead of XML. Is evt_resolve_ad_obj not supported with renderXml?&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN&gt;The documentation makes no mention of this.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;The "&lt;/SPAN&gt;&lt;SPAN&gt;WinEventLog://Security" input has these settings applied, but the AD search results are not coming back for that input either.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;I found nothing in the splunk.log showing any errors.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;Here is an example I tried to build outside of the Security events. Again, the evt_resolve_ad_obj works if I remove renderXml=true:&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;LI-CODE lang="markup"&gt;[WinEventLog://Microsoft-Windows-PushNotification-Platform/Operational]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = win
renderXml=true&lt;/LI-CODE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 01 Aug 2023 18:29:32 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-the-error-Windows-Event-Logs-renderXml-and-evt-resolve-ad/m-p/625848#M107544</guid>
      <dc:creator>ohbuckeyeio</dc:creator>
      <dc:date>2023-08-01T18:29:32Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Event Logs: renderXml and evt_resolve_ad_obj</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-the-error-Windows-Event-Logs-renderXml-and-evt-resolve-ad/m-p/652722#M110783</link>
      <description>&lt;P&gt;&lt;SPAN&gt;I've encountered a similar issue with the Microsoft-Windows-DNS-Client/Operational log. I wonder if you've found a solution for this case. If you have, could you please share it with me?&lt;/SPAN&gt;&lt;/P&gt;&lt;DIV class=""&gt;&lt;IMG border="0" /&gt;&lt;/DIV&gt;</description>
      <pubDate>Tue, 01 Aug 2023 14:48:04 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-the-error-Windows-Event-Logs-renderXml-and-evt-resolve-ad/m-p/652722#M110783</guid>
      <dc:creator>Wanki</dc:creator>
      <dc:date>2023-08-01T14:48:04Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Event Logs: renderXml and evt_resolve_ad_obj</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-the-error-Windows-Event-Logs-renderXml-and-evt-resolve-ad/m-p/652730#M110785</link>
      <description>&lt;P&gt;I ended up removing the renderXml=true option. It does not look like evt_resolve_ad_obj works with XML or is broken.&lt;/P&gt;</description>
      <pubDate>Tue, 01 Aug 2023 15:11:10 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-the-error-Windows-Event-Logs-renderXml-and-evt-resolve-ad/m-p/652730#M110785</guid>
      <dc:creator>ohbuckeyeio</dc:creator>
      <dc:date>2023-08-01T15:11:10Z</dc:date>
    </item>
  </channel>
</rss>

