- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to debug evt_resolve_ad_obj on a universal forwarder?
Hi,
I am trying to debug evt_resolve_ad_obj not working properly?
How do I enable debug to see wich Domain Controller is being contacted, and see the answer from the DC?
i am on UF 6.2.3 on windows server 2008R2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
For the fact that you are checking on the DC used by a UF, I suspect you have stumbled across a bug I struggled with for a while..
Somewhere between version 6.0 and 6.0.3, a bug was introduced causing the universal to communicate with the PDC of your domain (instead of nearest DC) regardless of whether evt_resolve_ad_obj was enabled or disabled for each wineventlog based input. I submitted an SPL for this issue and the issue was corrected in version 6.3.0.
http://answers.splunk.com/answers/171507/universal-forwarder-wineventlog-handler-affinity-f.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to the dox here:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/Monitorwindowsdata
If you discover that Splunk is not translating SIDs properly, review splunkd.log for clues on what the problem might be.
