Getting Data In

Translate GUID in Windows Event Log?

muebel
SplunkTrust
SplunkTrust

How would I configure Splunk to index WindowsEventLog events with the GUID's translated to their corresponding objects?

Tags (3)
1 Solution

muebel
SplunkTrust
SplunkTrust

Doc searching turned up the answer (I think):

http://www.splunk.com/base/Documentation/4.1.5/Admin/Inputsconf

evt_resolve_ad_obj = 1|0 Enables/disables resolving active directory objects like GUID/SID objects for a specific windows event log channel. By default this option it turned on for Security event logs. Optionally you can specify the Domain Controller name and/or DNS name of the domain to bind to which then splunk will use to resolve the AD objects.

View solution in original post

muebel
SplunkTrust
SplunkTrust

Doc searching turned up the answer (I think):

http://www.splunk.com/base/Documentation/4.1.5/Admin/Inputsconf

evt_resolve_ad_obj = 1|0 Enables/disables resolving active directory objects like GUID/SID objects for a specific windows event log channel. By default this option it turned on for Security event logs. Optionally you can specify the Domain Controller name and/or DNS name of the domain to bind to which then splunk will use to resolve the AD objects.

View solution in original post

hughkelley
Path Finder

Does this work for "remote pulled" event logs as well? I've put the following in inputs.conf but it does not seem to be doing lookups.

[default] evt_dc_name = evt_dns_name =

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path] disabled = 0 index = eventlog_filtering_test evt_resolve_ad_obj = 1 # resolved GUIDs and SIDs in the event data

0 Karma

ftk
Motivator

Hey muebel, did that solve your problem? If so please accept the answer as correct to close this question out. Thanks dude!

0 Karma