I am deploying the Splunk Windows TA to my UFs. My test case if UF 8.2.9 and Splunk_TA_windows 8.5.
When I create inputs that have both renderXml=true and evt_resolve_ad_obj = 1, I am not receiving the SID translations. However, it works sending back standard events instead of XML. Is evt_resolve_ad_obj not supported with renderXml? The documentation makes no mention of this.
The "WinEventLog://Security" input has these settings applied, but the AD search results are not coming back for that input either.
I found nothing in the splunk.log showing any errors.
Here is an example I tried to build outside of the Security events. Again, the evt_resolve_ad_obj works if I remove renderXml=true:
[WinEventLog://Microsoft-Windows-PushNotification-Platform/Operational]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = win
renderXml=true
I've encountered a similar issue with the Microsoft-Windows-DNS-Client/Operational log. I wonder if you've found a solution for this case. If you have, could you please share it with me?
I ended up removing the renderXml=true option. It does not look like evt_resolve_ad_obj works with XML or is broken.