topic Re: Windows SID Resolving in Splunk in Getting Data In

Windows SID Resolving in Splunk

pj — Mon, 02 May 2011 00:25:23 GMT

As i understand it, Splunk is able to resolve SIDs in Windows Security Events. The documentation around this is not very clear, but I assume Splunk essentially replaces the SID in the event with the resolved name?

We have many forwarders (lightweight) deployed on domain controllers that are version 4.0.9 and higher, however the SID does not seem to be getting resolved. It is my understanding from the documentation that windows security events automatically have evt_resolve_ad_obj = 1 set by default and that there is no need to specify this in the inputs.conf on the forwarder? We are not using the windows app in case that makes a difference.

The documentation mentions evt_dc_name and/or evt_dns_name attributes - do these need to be set for this to work?

Hoping that someone can help and clarify the situation around this and also how it works.

Thanks

Re: Windows SID Resolving in Splunk

erga00 — Mon, 28 Sep 2020 09:31:05 GMT

The evt_resolve_ad_obj setting is defined in the windows app inside the [WinEventLog:Security] stanza from inputs.conf. If you don't have the windows app then it won't take effect.

All you need to do is add evt_resolve_ad_obj = 1 to the input for the security event log whereever you've defined it.

As for evt_dc_name & evt_dns_name attributes, you don't have to specify them. Splunk will choose a domain controller on it's own. You only use those settings if you want to specify which domain controller it uses.

Which you're probably going to need to do if you have multiple sites across slow WAN links. Splunk doesn't use AD site information to pick a local domain controller so a light forwarder in New York may use the domain controller in London for example. This greatly slows down indexing so be careful.

Re: Windows SID Resolving in Splunk

pj — Mon, 02 May 2011 14:24:38 GMT

Many thanks for the clarification

Re: Windows SID Resolving in Splunk

erga00 — Mon, 02 May 2011 16:51:48 GMT

No problem.

By the way, I've logged enhancement request (ENH-4128) to have Splunk automatically choose a domain controller in the same site.

Re: Windows SID Resolving in Splunk

bojanz — Mon, 28 Sep 2020 12:08:19 GMT

Do you know if ENH-4128 got implemented? I'm seeing some forwarders have DsBind errors and am wondering if manually setting evt_dns_name could help these errors go away?

Re: Windows SID Resolving in Splunk

erga00 — Tue, 24 Jul 2012 21:57:55 GMT

I was told this issue was fixed in Splunk 4.3 but I haven't tested as I'm still running an older release.