Getting Data In

How to pick your local domain controller for event log SID translation?

javiergn
Super Champion

Hi,

We recently deployed the following config to 500 Windows Universal Forwarders:

[WinEventLog://Security]
disabled = 0
start_from = oldest
evt_resolve_ad_obj = 1

And that almost killed our primary domain controller. For some reason all the forwarders tried to query this PDC instead of contacting their local domain controller so we have disabled the SID translation for now.

Couple of questions:

  • Is there any way to specify evt_dc_name in such a way that the universal fw uses its local domain controller instead of going to the PDC?
  • Could we potentially specify "evt_dc_name = localhost" to force the universal forwarders to translate SIDs locally? Will that work?
  • I know I could deploy different config files per sites simply by using whitelists and machine names, but this is not 100% reliable, how do you guys deal with event logs and sid translation in large infrastructures?
  • Finally, is there any way to tell the universal forwarders to cache SID previously translated for a certain period of time? it seems to me like a waster of resources to be querying the domain controllers all the time.

Thanks,
Javier

1 Solution

javiergn
Super Champion

Actually yes. There are plenty of options now available since 6.4:

https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf#Windows_Event_Log_Monitor

For example:

evt_resolve_ad_ds =[auto|PDC]
* How the input should choose the domain controller to bind for
  AD resolution.
* This setting is optional.
* If set to PDC, the input only contacts the primary domain controller
  to resolve AD objects.
* If set to auto, the input lets Windows chose the best domain controller.
* If you set the 'evt_dc_name' setting, the input ignores this setting.
* Defaults to 'auto' (let Windows determine the domain controller to use

evt_ad_cache_disabled = [0|1]
* Enables or disables the AD object cache.
* Defaults to 0.

evt_sid_cache_disabled = [0|1]
* Enables or disables account Security IDentifier (SID) cache.
* This setting is global. It affects all Windows Event Log stanzas.
* Defaults to 0.

View solution in original post

javiergn
Super Champion

Actually yes. There are plenty of options now available since 6.4:

https://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Inputsconf#Windows_Event_Log_Monitor

For example:

evt_resolve_ad_ds =[auto|PDC]
* How the input should choose the domain controller to bind for
  AD resolution.
* This setting is optional.
* If set to PDC, the input only contacts the primary domain controller
  to resolve AD objects.
* If set to auto, the input lets Windows chose the best domain controller.
* If you set the 'evt_dc_name' setting, the input ignores this setting.
* Defaults to 'auto' (let Windows determine the domain controller to use

evt_ad_cache_disabled = [0|1]
* Enables or disables the AD object cache.
* Defaults to 0.

evt_sid_cache_disabled = [0|1]
* Enables or disables account Security IDentifier (SID) cache.
* This setting is global. It affects all Windows Event Log stanzas.
* Defaults to 0.

alemarzu
Motivator

Any answer/solution on this Javier ?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...