https://community.splunk.com/t5/Getting-Data-In/Windows-Universal-Forwarders-no-longer-performing-AD-GUID-SID-to/m-p/534002#M89659 <P>Greetings!<BR /><BR />We recently upgraded our UFs throughout the environment to 8.1.0, and since the upgrade, none of the Windows based forwarders appear to be doing AD GUID/SID-to-value lookups. We have verified that&nbsp;<SPAN>&nbsp;evt_resolve_ad_obj = 1&nbsp;is set in inputs.conf for the&nbsp;</SPAN>[WinEventLog://Security] stanza&nbsp;<SPAN>(verified with btool as well), and prior to the upgrade, the functionality was working fine. We tried installing the 8.1.1 version of the forwarder on one box as a test, but the problem persisted. Has anyone seen this or have any suggestions on what to check?<BR /><BR />This is a multi-site clustered environment running Splunk Enterprise 8.0.7. Thanks for your help!</SPAN></P> Wed, 23 Dec 2020 22:02:02 GMT abaumbusch 2020-12-23T22:02:02Z https://community.splunk.com/t5/Getting-Data-In/Windows-Universal-Forwarders-no-longer-performing-AD-GUID-SID-to/m-p/534002#M89659 <P>Greetings!<BR /><BR />We recently upgraded our UFs throughout the environment to 8.1.0, and since the upgrade, none of the Windows based forwarders appear to be doing AD GUID/SID-to-value lookups. We have verified that&nbsp;<SPAN>&nbsp;evt_resolve_ad_obj = 1&nbsp;is set in inputs.conf for the&nbsp;</SPAN>[WinEventLog://Security] stanza&nbsp;<SPAN>(verified with btool as well), and prior to the upgrade, the functionality was working fine. We tried installing the 8.1.1 version of the forwarder on one box as a test, but the problem persisted. Has anyone seen this or have any suggestions on what to check?<BR /><BR />This is a multi-site clustered environment running Splunk Enterprise 8.0.7. Thanks for your help!</SPAN></P> Wed, 23 Dec 2020 22:02:02 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Universal-Forwarders-no-longer-performing-AD-GUID-SID-to/m-p/534002#M89659 abaumbusch 2020-12-23T22:02:02Z https://community.splunk.com/t5/Getting-Data-In/Windows-Universal-Forwarders-no-longer-performing-AD-GUID-SID-to/m-p/535682#M89839 <P>Have you managed to resolve this?</P><P>I have this exact same problem, unfortunately haven't found any other solution than downgrading to 8.0.x</P><P>Enabled DEBUG logging but can't find any indication of what is failing, following this article here&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/MonitorWindowseventlogdata" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/MonitorWindowseventlogdata</A>&nbsp;suggest&nbsp;</P><P>"<SPAN>If you discover that SIDs are not being translated properly, you can review&nbsp;</SPAN>%SPLUNK_HOME%\var\log\splunkd.log<SPAN>&nbsp;for clues on what the problem might be. Problems with SID translations appear in the&nbsp;</SPAN>DsCrackNamesW<SPAN>&nbsp;API, which appear at the DEBUG logging level for&nbsp;</SPAN>splunkd.log<SPAN>, in the&nbsp;</SPAN>ExecProcessor<SPAN>&nbsp;log facility. For information on how to set the DEBUG logging level to see debug logs, see&nbsp;</SPAN><A href="http://docs.splunk.com/Documentation/Splunk/8.1.1/Troubleshooting/Enabledebuglogging" target="_blank" rel="noopener">Enable debug logging</A><SPAN>&nbsp;in the&nbsp;</SPAN><I>Troubleshooting Manual</I><SPAN>."&nbsp;</SPAN></P><P>Any suggestions appreciated!</P> Wed, 13 Jan 2021 16:10:46 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Universal-Forwarders-no-longer-performing-AD-GUID-SID-to/m-p/535682#M89839 greggernigant 2021-01-13T16:10:46Z https://community.splunk.com/t5/Getting-Data-In/Windows-Universal-Forwarders-no-longer-performing-AD-GUID-SID-to/m-p/535684#M89840 <P>I opened a support case with Splunk, but research on their end is still ongoing. They thought the issue might be with Windows machines on older versions of the OS (e.g. 2012), but we are seeing this on 2016 servers as well. If I do get a solutions from them, I will make sure to post it. Thanks for your response!</P> Wed, 13 Jan 2021 17:07:58 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Universal-Forwarders-no-longer-performing-AD-GUID-SID-to/m-p/535684#M89840 abaumbusch 2021-01-13T17:07:58Z https://community.splunk.com/t5/Getting-Data-In/Windows-Universal-Forwarders-no-longer-performing-AD-GUID-SID-to/m-p/535696#M89844 <P>Thanks!</P><P>If that helps, in my environment the issue exists on server 2016 and 2019, tried ufw 8.1.0 and the latest 8.1.1 (splunkforwarder-8.1.1-08187535c166-x64-release) without any luck.</P><P>Cheers.</P> Wed, 13 Jan 2021 18:10:37 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Universal-Forwarders-no-longer-performing-AD-GUID-SID-to/m-p/535696#M89844 greggernigant 2021-01-13T18:10:37Z https://community.splunk.com/t5/Getting-Data-In/Windows-Universal-Forwarders-no-longer-performing-AD-GUID-SID-to/m-p/537509#M90088 <P>The following has been added to known issues:<BR /><BR />SPL-199409, SPL-199691: Windows EventLog SIDs no longer resolving after upgrade to 8.1&nbsp;</P><P>Splunk Devs acknowledged the bug (I work with <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/125240">@abaumbusch</a>) and provided the following workarounds:</P><UL><LI>replace the splunk-winevtlog.exe binary on an 8.1.x forwarder with a copy from an 8.0.x forwarder, OR</LI><LI>set 'use_old_eventlog_api' to true for any WinEventLogs that need the SID/GUID translation. It was found that this issue does not affect any channel where 'use_old_eventlog_api' is enabled.</LI></UL> Wed, 27 Jan 2021 23:20:33 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Universal-Forwarders-no-longer-performing-AD-GUID-SID-to/m-p/537509#M90088 jeff 2021-01-27T23:20:33Z https://community.splunk.com/t5/Getting-Data-In/Windows-Universal-Forwarders-no-longer-performing-AD-GUID-SID-to/m-p/538848#M90288 <P>Looks like this is still an issue in 8.1.2: <A href="https://docs.splunk.com/Documentation/Forwarder/8.1.2/Forwarder/KnownIssues" target="_blank">https://docs.splunk.com/Documentation/Forwarder/8.1.2/Forwarder/KnownIssues</A>.</P> Sat, 06 Feb 2021 01:00:24 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Universal-Forwarders-no-longer-performing-AD-GUID-SID-to/m-p/538848#M90288 mmatturro 2021-02-06T01:00:24Z https://community.splunk.com/t5/Getting-Data-In/Windows-Universal-Forwarders-no-longer-performing-AD-GUID-SID-to/m-p/538868#M90289 <P>I was told the fix may come in 8.1.3. I can confirm adding&nbsp; use_old_eventlog_api = 1 to the wineventlog:security stanza in inputs conf seems to resolve the issue. I deployed this change to forwarders on test and dev systems in our environment and the sids were properly resolved.</P> Sat, 06 Feb 2021 16:56:30 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Universal-Forwarders-no-longer-performing-AD-GUID-SID-to/m-p/538868#M90289 jeff 2021-02-06T16:56:30Z https://community.splunk.com/t5/Getting-Data-In/Windows-Universal-Forwarders-no-longer-performing-AD-GUID-SID-to/m-p/556232#M92089 <P>Do you know if using&nbsp;<SPAN>use_old_eventlog_api caused any other issues or side effects? Any issues with field extractions?</SPAN></P> Thu, 17 Jun 2021 19:43:05 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Universal-Forwarders-no-longer-performing-AD-GUID-SID-to/m-p/556232#M92089 pbarbuto 2021-06-17T19:43:05Z