We are currently testing Splunk with the intentions of having it collect our Security logs and other logs from domain controllers.
Early on, we ran into an issue where user ids and group guids were being translated after getting ingested into Splunk. A quick google search revealed a simple switch to a configuration item in a stanza, that would no longer translate the account guids. While it's nice that the guids can be resolved, we want a one to one match of what is collected from the event log to be what is put into Splunk.
There is a security event id 4625 that we collect. In Splunk, there is a field called "Group Domain" field. Some 4625 events appear as expected (correct group, correct domain etc), but others will show the Group Domain value as the name of the client computer that was generating the security event on the Domain Controller. Incidentally, this same value appears for the "Source Workstation" field.
We are trying to figure out why Splunk is populating the Group Domain field with the name of the workstation generating the security event, and if there is a way to tell Splunk to ignore trying to populate this data field, as it doesn't necessarily apply. If you look at the XML of the event, no such field exists.
Any help, guidance, etc. would be greatly appreciated.