All Apps and Add-ons

Splunk Add-On for Windows / Domain Controller Security Logs / Splunk Fields


Hello All,

We are currently testing Splunk with the intentions of having it collect our Security logs and other logs from domain controllers.

Early on, we ran into an issue where user ids and group guids were being translated after getting ingested into Splunk.  A quick google search revealed a simple switch to a configuration item in a stanza, that would no longer translate the account guids.  While it's nice that the guids can be resolved, we want a one to one match of what is collected from the event log to be what is put into Splunk.

There is a security event id 4625 that we collect.  In Splunk, there is a field called "Group Domain" field.  Some 4625 events appear as expected (correct group, correct domain etc), but others will show the Group Domain value as the name of the client computer that was generating the security event on the Domain Controller.  Incidentally, this same value appears for the "Source Workstation" field.

We are trying to figure out why Splunk is populating the Group Domain field with the name of the workstation generating the security event, and if there is a way to tell Splunk to ignore trying to populate this data field, as it doesn't necessarily apply.  If you look at the XML of the event, no such field exists.

Any help, guidance, etc. would be greatly appreciated.



Labels (2)
0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...