How to debug evt_resolve_ad_obj on a universal for...

Ed_Alias · ‎07-06-2015

Hi,

I am trying to debug evt_resolve_ad_obj not working properly?

How do I enable debug to see wich Domain Controller is being contacted, and see the answer from the DC?

i am on UF 6.2.3 on windows server 2008R2.

dstaulcu · ‎10-04-2015

Hello

For the fact that you are checking on the DC used by a UF, I suspect you have stumbled across a bug I struggled with for a while..

Somewhere between version 6.0 and 6.0.3, a bug was introduced causing the universal to communicate with the PDC of your domain (instead of nearest DC) regardless of whether evt_resolve_ad_obj was enabled or disabled for each wineventlog based input. I submitted an SPL for this issue and the issue was corrected in version 6.3.0.

http://answers.splunk.com/answers/171507/universal-forwarder-wineventlog-handler-affinity-f.html

woodcock · ‎09-30-2015

According to the dox here:

http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/Monitorwindowsdata

If you discover that Splunk is not translating SIDs properly, review splunkd.log for clues on what the problem might be.

How to debug evt_resolve_ad_obj on a universal forwarder?

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk