Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Applocker logs through WEC, sid translation for renderXml

rvaningh_bics
New Member
‎11-03-2016 08:46 AM

My clients are sending their applocker logs in cf:Events format to a windows event collector which runs an UF.

When running with renderXml=0 I only get the message %11 was allowed to run instead of the binary that ran.
This seems to be a WEC quirk and not Splunk related.
In this mode I get a proper sid resolution for the User field (setting evt_resolve_ad_obj = 0 results in NOT_RESOLVED)

When I turn the logs to XML mode by setting renderXml=1 I get the correct information in the logs and I can parse it out using xmlkv.

However no sid translation is done and I'm stuck with the numeric SID.

  • Is the %11 issue a generic Applocker-through-WEC issue ?
  • How did you work around it ... using renderXml ?
  • On which fields is the SID translation supposed to work ?
  • Any other workarounds than dumping the whole AD and using a lookup?

Thanks

Ronny

0 Karma
Reply

abpe
Path Finder
‎11-10-2016 03:57 AM

For the %11 issue, change your regional settings to English (United States).
I personally use renderXml but couldn't find anything regarding SID translation. I guess the SID matching is hardcoded in the application and it's not able to match in the applocker logs due to the difference in how the SID is presented there.

0 Karma
Reply

rvaningh_bics
New Member
‎11-28-2016 05:13 AM

I had already tried changing the system local on both the clients and the WEC server... no luck

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...