https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Log-evtx-file-import-Foriegn-AD-Domain/m-p/557628#M92283 <P>Hello,</P><P>Hoping to get a hint on where to go with this;</P><P><STRONG>Use Case:&nbsp;</STRONG>I am attempting to import files from a exported .evtx file from a external Windows host as per:&nbsp;<BR /><BR /><A title="Splunk Docs for Importing Windows Event Log Files" href="https://docs.splunk.com/Documentation/Splunk/7.3.3/Data/MonitorWindowseventlogdata#Index_exported_event_log_.28.evt_or_.evtx.29_files" target="_self">Splunk Docs for Importing Windows Event Log Files</A><BR /><BR />The inputs.conf has been written close to the following.</P><P>&nbsp;</P><LI-CODE lang="markup">[monitor://D:\SplunkLogImport\awesome_hostname\preprocess-winevt\*.evtx] disabled = 0 sourcetype = preprocess-winevt host = awesome_hostname index = awesome_index crcSalt = &lt;SOURCE&gt; move_policy = sinkhole evt_resolve_ad_obj = 0</LI-CODE><P>&nbsp;</P><P>The challenge here is the logs are from a server in another domain from another network entirely and I have no access to a domain controller.<BR /><BR />As per:&nbsp;<BR /><A title="Splunk Docs for Monitor Windows EventLog Data" href="https://docs.splunk.com/Documentation/Splunk/7.3.2/Data/MonitorWindowseventlogdata#How_the_Windows_Event_Log_monitor_interacts_with_Active_Directory_.28AD.29" target="_self">Splunk Docs for Monitor Windows EventLog Data</A>&nbsp;<BR /><BR />I am recieving an error (as expected) but I'm not seeing any data come in.&nbsp; I am not concerned with having all the data resolved and seeking to simply input this data.&nbsp; &nbsp;<BR /><BR /><STRONG>Question:</STRONG> Any thoughts on how to blindly import the event logs knowing full well we're not going to get SID/GID object resolution?&nbsp; What is required to tell the forwarder not to bind to the domain?&nbsp; I've attempted&nbsp; the following with no results.</P><P>&nbsp;</P><LI-CODE lang="markup">evt_resolve_ad_obj = 0</LI-CODE><P>&nbsp;</P><P>I would appreciate any guidance that may exist on this subject.<BR /><BR /><STRONG>Details:<BR /></STRONG>Host is running Splunk Universal Forwarder v 7.3 on Windows 2012.&nbsp; Source data is from a Windows 2008 R2 server.&nbsp;</P><P><STRONG>The Error:&nbsp;</STRONG><EM>(thousands of these)</EM><STRONG><BR /></STRONG>INFO WinEventLogChannel - WinEventLogChannel::getEventsNew (2000): No bindToDc<STRONG><BR /><BR /></STRONG></P><P><BR /><BR /></P> Tue, 29 Jun 2021 15:03:18 GMT dsctm3 2021-06-29T15:03:18Z https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Log-evtx-file-import-Foriegn-AD-Domain/m-p/557628#M92283 <P>Hello,</P><P>Hoping to get a hint on where to go with this;</P><P><STRONG>Use Case:&nbsp;</STRONG>I am attempting to import files from a exported .evtx file from a external Windows host as per:&nbsp;<BR /><BR /><A title="Splunk Docs for Importing Windows Event Log Files" href="https://docs.splunk.com/Documentation/Splunk/7.3.3/Data/MonitorWindowseventlogdata#Index_exported_event_log_.28.evt_or_.evtx.29_files" target="_self">Splunk Docs for Importing Windows Event Log Files</A><BR /><BR />The inputs.conf has been written close to the following.</P><P>&nbsp;</P><LI-CODE lang="markup">[monitor://D:\SplunkLogImport\awesome_hostname\preprocess-winevt\*.evtx] disabled = 0 sourcetype = preprocess-winevt host = awesome_hostname index = awesome_index crcSalt = &lt;SOURCE&gt; move_policy = sinkhole evt_resolve_ad_obj = 0</LI-CODE><P>&nbsp;</P><P>The challenge here is the logs are from a server in another domain from another network entirely and I have no access to a domain controller.<BR /><BR />As per:&nbsp;<BR /><A title="Splunk Docs for Monitor Windows EventLog Data" href="https://docs.splunk.com/Documentation/Splunk/7.3.2/Data/MonitorWindowseventlogdata#How_the_Windows_Event_Log_monitor_interacts_with_Active_Directory_.28AD.29" target="_self">Splunk Docs for Monitor Windows EventLog Data</A>&nbsp;<BR /><BR />I am recieving an error (as expected) but I'm not seeing any data come in.&nbsp; I am not concerned with having all the data resolved and seeking to simply input this data.&nbsp; &nbsp;<BR /><BR /><STRONG>Question:</STRONG> Any thoughts on how to blindly import the event logs knowing full well we're not going to get SID/GID object resolution?&nbsp; What is required to tell the forwarder not to bind to the domain?&nbsp; I've attempted&nbsp; the following with no results.</P><P>&nbsp;</P><LI-CODE lang="markup">evt_resolve_ad_obj = 0</LI-CODE><P>&nbsp;</P><P>I would appreciate any guidance that may exist on this subject.<BR /><BR /><STRONG>Details:<BR /></STRONG>Host is running Splunk Universal Forwarder v 7.3 on Windows 2012.&nbsp; Source data is from a Windows 2008 R2 server.&nbsp;</P><P><STRONG>The Error:&nbsp;</STRONG><EM>(thousands of these)</EM><STRONG><BR /></STRONG>INFO WinEventLogChannel - WinEventLogChannel::getEventsNew (2000): No bindToDc<STRONG><BR /><BR /></STRONG></P><P><BR /><BR /></P> Tue, 29 Jun 2021 15:03:18 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Log-evtx-file-import-Foriegn-AD-Domain/m-p/557628#M92283 dsctm3 2021-06-29T15:03:18Z https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Log-evtx-file-import-Foriegn-AD-Domain/m-p/557631#M92284 <P>So I found the solution, and as usual "It was dumb"<BR /><BR />The resolution was that the hostname field was ignored by the input for some reason and the data got processed as the actual hostname of the host, not the name I gave it.&nbsp; &nbsp;When I search for the actual hostname the logs have been ingested despite the warning about DC binds.<BR /><BR />I suppose when you use that sourcetype Splunk ingests the data and runs it through the TA as it came from a native forwarder.&nbsp; I suspect some of the data might be missing, but I'm willing to accept that given the lack of resolution.<BR /><BR />Marking this solved for now.</P> Tue, 29 Jun 2021 15:35:26 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Log-evtx-file-import-Foriegn-AD-Domain/m-p/557631#M92284 dsctm3 2021-06-29T15:35:26Z