Solved: Translate GUID in Windows Event Log?

muebel · ‎12-13-2010

How would I configure Splunk to index WindowsEventLog events with the GUID's translated to their corresponding objects?

muebel · ‎12-13-2010

Doc searching turned up the answer (I think):

http://www.splunk.com/base/Documentation/4.1.5/Admin/Inputsconf

evt_resolve_ad_obj = 1|0 Enables/disables resolving active directory objects like GUID/SID objects for a specific windows event log channel. By default this option it turned on for Security event logs. Optionally you can specify the Domain Controller name and/or DNS name of the domain to bind to which then splunk will use to resolve the AD objects.

View solution in original post

muebel · ‎12-13-2010

Doc searching turned up the answer (I think):

http://www.splunk.com/base/Documentation/4.1.5/Admin/Inputsconf

evt_resolve_ad_obj = 1|0 Enables/disables resolving active directory objects like GUID/SID objects for a specific windows event log channel. By default this option it turned on for Security event logs. Optionally you can specify the Domain Controller name and/or DNS name of the domain to bind to which then splunk will use to resolve the AD objects.

View solution in original post

hughkelley · ‎04-08-2011

Does this work for "remote pulled" event logs as well? I've put the following in inputs.conf but it does not seem to be doing lookups.

[default] evt_dc_name = evt_dns_name =

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path] disabled = 0 index = eventlog_filtering_test evt_resolve_ad_obj = 1 # resolved GUIDs and SIDs in the event data

ftk · ‎02-07-2011

Hey muebel, did that solve your problem? If so please accept the answer as correct to close this question out. Thanks dude!

Translate GUID in Windows Event Log?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE! Catch Up Now >>

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Catch Up Now >>