Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to debug evt_resolve_ad_obj on a universal forwarder?

Ed_Alias
Path Finder
‎07-06-2015 06:55 AM

Hi,

I am trying to debug evt_resolve_ad_obj not working properly?

How do I enable debug to see wich Domain Controller is being contacted, and see the answer from the DC?

i am on UF 6.2.3 on windows server 2008R2.

0 Karma
Reply

dstaulcu
Builder
‎10-04-2015 08:35 PM

Hello

For the fact that you are checking on the DC used by a UF, I suspect you have stumbled across a bug I struggled with for a while..

Somewhere between version 6.0 and 6.0.3, a bug was introduced causing the universal to communicate with the PDC of your domain (instead of nearest DC) regardless of whether evt_resolve_ad_obj was enabled or disabled for each wineventlog based input. I submitted an SPL for this issue and the issue was corrected in version 6.3.0.

http://answers.splunk.com/answers/171507/universal-forwarder-wineventlog-handler-affinity-f.html

0 Karma
Reply

woodcock
Esteemed Legend
‎09-30-2015 09:29 AM

According to the dox here:

http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/Monitorwindowsdata

If you discover that Splunk is not translating SIDs properly, review splunkd.log for clues on what the problem might be.
0 Karma
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top