https://community.splunk.com/t5/Splunk-Enterprise-Security/WinEventLog-Security-default-for-evt-resolve-ad-obj-Automatic/m-p/251019#M1795 <P>According to section "Resolve Active Directory objects in event log files" in all versions of this document:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/MonitorWindowsdata" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/MonitorWindowsdata</A></P> <P>The following (direct quote) is true:</P> <PRE><CODE>The evt_resolve_ad_obj attribute is on by default for the Security channel. </CODE></PRE> <P>We upgraded to 6.2.5 and discovered that THIS IS NO LONGER TRUE (and caused us a HUGE headache). At some point between Splunk v6.? when everything was fine and v6.2.5 which is where we are now, Splunk changed (probably accidentally) the default value for parameter “evt_resolve_ad_obj” from “true” to “false”. So once we upgraded, the automatic decoding of SIDs and GUIDs stopped happening. If you are using Splunk for Enterprise Security or anything else that requires consistent WinEventLog Security events, this bug could be a huge problem for you.</P> Tue, 29 Sep 2020 07:25:48 GMT woodcock 2020-09-29T07:25:48Z https://community.splunk.com/t5/Splunk-Enterprise-Security/WinEventLog-Security-default-for-evt-resolve-ad-obj-Automatic/m-p/251019#M1795 <P>According to section "Resolve Active Directory objects in event log files" in all versions of this document:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/MonitorWindowsdata" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.2.5/Data/MonitorWindowsdata</A></P> <P>The following (direct quote) is true:</P> <PRE><CODE>The evt_resolve_ad_obj attribute is on by default for the Security channel. </CODE></PRE> <P>We upgraded to 6.2.5 and discovered that THIS IS NO LONGER TRUE (and caused us a HUGE headache). At some point between Splunk v6.? when everything was fine and v6.2.5 which is where we are now, Splunk changed (probably accidentally) the default value for parameter “evt_resolve_ad_obj” from “true” to “false”. So once we upgraded, the automatic decoding of SIDs and GUIDs stopped happening. If you are using Splunk for Enterprise Security or anything else that requires consistent WinEventLog Security events, this bug could be a huge problem for you.</P> Tue, 29 Sep 2020 07:25:48 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/WinEventLog-Security-default-for-evt-resolve-ad-obj-Automatic/m-p/251019#M1795 woodcock 2020-09-29T07:25:48Z https://community.splunk.com/t5/Splunk-Enterprise-Security/WinEventLog-Security-default-for-evt-resolve-ad-obj-Automatic/m-p/251020#M1796 <P>The solution is simple: do not rely on the default value and add the following explicit configuration string to all <CODE>[WinEventLog://Security]</CODE> stanzas inside of <CODE>inputs.conf</CODE>:</P> <PRE><CODE>evt_resolve_ad_obj = 1 </CODE></PRE> <P>This can be a preventative change made to any version of Splunk so it should be made ASAP, regardless of your specific upgrade plans. If the change is preventative you are done; if it is corrective, then you must restart all splunk instances on effected forwarders.</P> Thu, 01 Oct 2015 00:06:30 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/WinEventLog-Security-default-for-evt-resolve-ad-obj-Automatic/m-p/251020#M1796 woodcock 2015-10-01T00:06:30Z https://community.splunk.com/t5/Splunk-Enterprise-Security/WinEventLog-Security-default-for-evt-resolve-ad-obj-Automatic/m-p/251021#M1797 <P>After some research I've determined that this was indeed changed for all versions of 6.2.</P> <P>The documentation has been updated and an upgrade note has been added.</P> <P>Apologies for any inconvenience.</P> Thu, 01 Oct 2015 20:27:54 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/WinEventLog-Security-default-for-evt-resolve-ad-obj-Automatic/m-p/251021#M1797 malmoore 2015-10-01T20:27:54Z https://community.splunk.com/t5/Splunk-Enterprise-Security/WinEventLog-Security-default-for-evt-resolve-ad-obj-Automatic/m-p/251022#M1798 <P>This was much more than a mere "inconvenience" for my client; it was a very big problem that WOULD NOT have been so painful to isolate (and maybe not have happened at all) had the documentation here mentioned it (so these should all be updated, too!):</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.ALL-VERSIONS/ReleaseNotes/Knownissues">http://docs.splunk.com/Documentation/Splunk/6.2.ALL-VERSIONS/ReleaseNotes/Knownissues</A><BR /> I suggest a note both in the "Data Input" and "Known Issues" sections!</P> Thu, 01 Oct 2015 20:35:56 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/WinEventLog-Security-default-for-evt-resolve-ad-obj-Automatic/m-p/251022#M1798 woodcock 2015-10-01T20:35:56Z https://community.splunk.com/t5/Splunk-Enterprise-Security/WinEventLog-Security-default-for-evt-resolve-ad-obj-Automatic/m-p/251023#M1799 <P>Technically it's not a known issue, but a reversion to a previous behavior that was not caught in the documentation. <A href="http://docs.splunk.com/Documentation/Splunk/6.2beta/Installation/Aboutupgradingto6.2READTHISFIRST#Windows-specific_changes">It has been added</A> now.</P> <P>Again, sincere apologies for the headache that this caused.</P> Thu, 01 Oct 2015 20:48:02 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/WinEventLog-Security-default-for-evt-resolve-ad-obj-Automatic/m-p/251023#M1799 malmoore 2015-10-01T20:48:02Z