Why the error: Windows Event Logs: renderXml and e...

ohbuckeyeio · ‎01-04-2023

I am deploying the Splunk Windows TA to my UFs. My test case if UF 8.2.9 and Splunk_TA_windows 8.5.

When I create inputs that have both renderXml=true and evt_resolve_ad_obj = 1, I am not receiving the SID translations. However, it works sending back standard events instead of XML. Is evt_resolve_ad_obj not supported with renderXml? The documentation makes no mention of this.

The "WinEventLog://Security" input has these settings applied, but the AD search results are not coming back for that input either.

I found nothing in the splunk.log showing any errors.

Here is an example I tried to build outside of the Security events. Again, the evt_resolve_ad_obj works if I remove renderXml=true:

[WinEventLog://Microsoft-Windows-PushNotification-Platform/Operational]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = win
renderXml=true

Wanki · ‎08-01-2023

I've encountered a similar issue with the Microsoft-Windows-DNS-Client/Operational log. I wonder if you've found a solution for this case. If you have, could you please share it with me?

ohbuckeyeio · ‎08-01-2023

I ended up removing the renderXml=true option. It does not look like evt_resolve_ad_obj works with XML or is broken.

Why the error: Windows Event Logs: renderXml and evt_resolve_ad_obj?

universal forwarder

Windows

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update