Solved: How to pick your local domain controller for event...

javiergn · ‎10-08-2014

Hi,

We recently deployed the following config to 500 Windows Universal Forwarders:

[WinEventLog://Security]
disabled = 0
start_from = oldest
evt_resolve_ad_obj = 1

And that almost killed our primary domain controller. For some reason all the forwarders tried to query this PDC instead of contacting their local domain controller so we have disabled the SID translation for now.

Couple of questions:

Is there any way to specify evt_dc_name in such a way that the universal fw uses its local domain controller instead of going to the PDC?
Could we potentially specify "evt_dc_name = localhost" to force the universal forwarders to translate SIDs locally? Will that work?
I know I could deploy different config files per sites simply by using whitelists and machine names, but this is not 100% reliable, how do you guys deal with event logs and sid translation in large infrastructures?
Finally, is there any way to tell the universal forwarders to cache SID previously translated for a certain period of time? it seems to me like a waster of resources to be querying the domain controllers all the time.

Thanks,
Javier

javiergn · ‎11-23-2016

Actually yes. There are plenty of options now available since 6.4:

https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf#Windows_Event_Log_Monitor

For example:

evt_resolve_ad_ds =[auto|PDC]
* How the input should choose the domain controller to bind for
  AD resolution.
* This setting is optional.
* If set to PDC, the input only contacts the primary domain controller
  to resolve AD objects.
* If set to auto, the input lets Windows chose the best domain controller.
* If you set the 'evt_dc_name' setting, the input ignores this setting.
* Defaults to 'auto' (let Windows determine the domain controller to use

evt_ad_cache_disabled = [0|1]
* Enables or disables the AD object cache.
* Defaults to 0.

evt_sid_cache_disabled = [0|1]
* Enables or disables account Security IDentifier (SID) cache.
* This setting is global. It affects all Windows Event Log stanzas.
* Defaults to 0.

View solution in original post

javiergn · ‎11-23-2016

Actually yes. There are plenty of options now available since 6.4:

https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf#Windows_Event_Log_Monitor

For example:

evt_resolve_ad_ds =[auto|PDC]
* How the input should choose the domain controller to bind for
  AD resolution.
* This setting is optional.
* If set to PDC, the input only contacts the primary domain controller
  to resolve AD objects.
* If set to auto, the input lets Windows chose the best domain controller.
* If you set the 'evt_dc_name' setting, the input ignores this setting.
* Defaults to 'auto' (let Windows determine the domain controller to use

evt_ad_cache_disabled = [0|1]
* Enables or disables the AD object cache.
* Defaults to 0.

evt_sid_cache_disabled = [0|1]
* Enables or disables account Security IDentifier (SID) cache.
* This setting is global. It affects all Windows Event Log stanzas.
* Defaults to 0.

alemarzu · ‎11-22-2016

Any answer/solution on this Javier ?

How to pick your local domain controller for event log SID translation?

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Are you a member of the Splunk Community?

How to pick your local domain controller for event log SID translation?

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...