Getting Data In

Windows SID Resolving in Splunk

pj
Contributor

As i understand it, Splunk is able to resolve SIDs in Windows Security Events. The documentation around this is not very clear, but I assume Splunk essentially replaces the SID in the event with the resolved name?

We have many forwarders (lightweight) deployed on domain controllers that are version 4.0.9 and higher, however the SID does not seem to be getting resolved. It is my understanding from the documentation that windows security events automatically have evt_resolve_ad_obj = 1 set by default and that there is no need to specify this in the inputs.conf on the forwarder? We are not using the windows app in case that makes a difference.

The documentation mentions evt_dc_name and/or evt_dns_name attributes - do these need to be set for this to work?

Hoping that someone can help and clarify the situation around this and also how it works.

Thanks

1 Solution

erga00
Path Finder

The evt_resolve_ad_obj setting is defined in the windows app inside the [WinEventLog:Security] stanza from inputs.conf. If you don't have the windows app then it won't take effect.

All you need to do is add evt_resolve_ad_obj = 1 to the input for the security event log whereever you've defined it.

As for evt_dc_name & evt_dns_name attributes, you don't have to specify them. Splunk will choose a domain controller on it's own. You only use those settings if you want to specify which domain controller it uses.

Which you're probably going to need to do if you have multiple sites across slow WAN links. Splunk doesn't use AD site information to pick a local domain controller so a light forwarder in New York may use the domain controller in London for example. This greatly slows down indexing so be careful.

View solution in original post

erga00
Path Finder

The evt_resolve_ad_obj setting is defined in the windows app inside the [WinEventLog:Security] stanza from inputs.conf. If you don't have the windows app then it won't take effect.

All you need to do is add evt_resolve_ad_obj = 1 to the input for the security event log whereever you've defined it.

As for evt_dc_name & evt_dns_name attributes, you don't have to specify them. Splunk will choose a domain controller on it's own. You only use those settings if you want to specify which domain controller it uses.

Which you're probably going to need to do if you have multiple sites across slow WAN links. Splunk doesn't use AD site information to pick a local domain controller so a light forwarder in New York may use the domain controller in London for example. This greatly slows down indexing so be careful.

View solution in original post

erga00
Path Finder

I was told this issue was fixed in Splunk 4.3 but I haven't tested as I'm still running an older release.

0 Karma

bojanz
Communicator

Do you know if ENH-4128 got implemented? I'm seeing some forwarders have DsBind errors and am wondering if manually setting evt_dns_name could help these errors go away?

0 Karma

erga00
Path Finder

No problem.

By the way, I've logged enhancement request (ENH-4128) to have Splunk automatically choose a domain controller in the same site.

0 Karma

pj
Contributor

Many thanks for the clarification

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!