Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to debug evt_resolve_ad_obj on a universal forwarder?

Ed_Alias
Path Finder
‎07-06-2015 06:55 AM

Hi,

I am trying to debug evt_resolve_ad_obj not working properly?

How do I enable debug to see wich Domain Controller is being contacted, and see the answer from the DC?

i am on UF 6.2.3 on windows server 2008R2.

0 Karma
Reply

dstaulcu
Builder
‎10-04-2015 08:35 PM

Hello

For the fact that you are checking on the DC used by a UF, I suspect you have stumbled across a bug I struggled with for a while..

Somewhere between version 6.0 and 6.0.3, a bug was introduced causing the universal to communicate with the PDC of your domain (instead of nearest DC) regardless of whether evt_resolve_ad_obj was enabled or disabled for each wineventlog based input. I submitted an SPL for this issue and the issue was corrected in version 6.3.0.

http://answers.splunk.com/answers/171507/universal-forwarder-wineventlog-handler-affinity-f.html

0 Karma
Reply

woodcock
Esteemed Legend
‎09-30-2015 09:29 AM

According to the dox here:

http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/Monitorwindowsdata

If you discover that Splunk is not translating SIDs properly, review splunkd.log for clues on what the problem might be.
0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...