Getting Data In

Why the error: Windows Event Logs: renderXml and evt_resolve_ad_obj?

ohbuckeyeio
Communicator

I am deploying the Splunk Windows TA to my UFs.  My test case if UF 8.2.9 and Splunk_TA_windows 8.5. 

When I create inputs that have both renderXml=true and evt_resolve_ad_obj = 1, I am not receiving the SID translations. However, it works sending back standard events instead of XML. Is evt_resolve_ad_obj not supported with renderXml? The documentation makes no mention of this.

The "WinEventLog://Security" input has these settings applied, but the AD search results are not coming back for that input either.

I found nothing in the splunk.log showing any errors.

Here is an example I tried to build outside of the Security events. Again, the evt_resolve_ad_obj works if I remove renderXml=true:

 

 

[WinEventLog://Microsoft-Windows-PushNotification-Platform/Operational]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = win
renderXml=true

 

 

Labels (2)
0 Karma

Wanki
Loves-to-Learn Everything

I've encountered a similar issue with the Microsoft-Windows-DNS-Client/Operational log. I wonder if you've found a solution for this case. If you have, could you please share it with me?

0 Karma

ohbuckeyeio
Communicator

I ended up removing the renderXml=true option. It does not look like evt_resolve_ad_obj works with XML or is broken.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...