Solved: Re: Universal Forwarder DsBind failed since upgrad...

Ed_Alias · ‎03-03-2014

Hi,

i juste upgraded my universal Forwarder on a windows server,

and since it gives me this error in Splunkd.log

ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - EvtDC::connectToDC: DsBind failed: (1722)

forwarder is still working but serveclass didn't update ...

help would be greate 😃

itopsdci · ‎03-04-2014

FYI, I resolved this in my own Splunk deployment. In $SPLUNK_HOME/etc/apps/$WINDOWS_ADDON/local/inputs.conf I had quotes around our domain name for evt_dc_name. I removed them, the problem went away, and our wineventlog:security events stopped being delayed. This behavior began after upgrading our deployment to 6.0.2.

View solution in original post

chanfoli · ‎10-01-2015

If you are seeing these errors with a basic event logging setup and you don't have your universal forwarders talking to AD to resolve AD objects in events, you might want to try this in your inputs.conf:

evt_resolve_ad_obj = 0

This tells the forwarder not to try to resolve AD objects. The default with this input type is to do so but if you don't set up the AD binding with evt_dc_name or evt_dns_name it does not work so you will see tons of these errors.

nk-1 · ‎11-16-2015

Adding

[default]

evt_resolve_ad_obj = 0

to inputs.conf (on our Universal Forwarders) fixed the problem here when our Windows AD server changed.

Thanks!

boopaljothi · ‎01-06-2016

do we need to add this in limits.conf or inputs.conf?

nk-1 · ‎01-06-2016

SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf
only, in my setup.
My apologies for the previous typo. Will fix it.

boopaljothi · ‎01-08-2016

i still get the same error even after adding that

arber · ‎01-05-2015

Same problem even with version 6.2 is there any fix on this ?

slebbie_splunk · ‎04-11-2017

@arber have you tried the

[default]
evt_resolve_ad_obj = 0

fix?

itopsdci · ‎03-04-2014

FYI, I resolved this in my own Splunk deployment. In $SPLUNK_HOME/etc/apps/$WINDOWS_ADDON/local/inputs.conf I had quotes around our domain name for evt_dc_name. I removed them, the problem went away, and our wineventlog:security events stopped being delayed. This behavior began after upgrading our deployment to 6.0.2.

robert_miller · ‎07-21-2014

I have that field blank and I am still getting the errors. We use multiple domains so I am not sure if putting in a domain name is feasible. Any other ideas?

Ed_Alias · ‎03-05-2014

And thanks to you my forwader is happy again ! :

TcpOutputProc - Connected to idx=10.2xx.xxx.xxx:9997 using ACK

Thank you !

itopsdci · ‎03-04-2014

Same here. I ran across this while troubleshooting the fact that the wineventlogs stopped coming across on a couple of DCs. Whatever is causing this...not fun.

Universal Forwarder DsBind failed since upgrade to 6.0.2

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout