Solved: Re: Windows SID Resolving in Splunk

pj · ‎05-01-2011

As i understand it, Splunk is able to resolve SIDs in Windows Security Events. The documentation around this is not very clear, but I assume Splunk essentially replaces the SID in the event with the resolved name?

We have many forwarders (lightweight) deployed on domain controllers that are version 4.0.9 and higher, however the SID does not seem to be getting resolved. It is my understanding from the documentation that windows security events automatically have evt_resolve_ad_obj = 1 set by default and that there is no need to specify this in the inputs.conf on the forwarder? We are not using the windows app in case that makes a difference.

The documentation mentions evt_dc_name and/or evt_dns_name attributes - do these need to be set for this to work?

Hoping that someone can help and clarify the situation around this and also how it works.

Thanks

erga00 · ‎05-02-2011

The evt_resolve_ad_obj setting is defined in the windows app inside the [WinEventLog:Security] stanza from inputs.conf. If you don't have the windows app then it won't take effect.

All you need to do is add evt_resolve_ad_obj = 1 to the input for the security event log whereever you've defined it.

As for evt_dc_name & evt_dns_name attributes, you don't have to specify them. Splunk will choose a domain controller on it's own. You only use those settings if you want to specify which domain controller it uses.

Which you're probably going to need to do if you have multiple sites across slow WAN links. Splunk doesn't use AD site information to pick a local domain controller so a light forwarder in New York may use the domain controller in London for example. This greatly slows down indexing so be careful.

View solution in original post

erga00 · ‎05-02-2011

The evt_resolve_ad_obj setting is defined in the windows app inside the [WinEventLog:Security] stanza from inputs.conf. If you don't have the windows app then it won't take effect.

All you need to do is add evt_resolve_ad_obj = 1 to the input for the security event log whereever you've defined it.

As for evt_dc_name & evt_dns_name attributes, you don't have to specify them. Splunk will choose a domain controller on it's own. You only use those settings if you want to specify which domain controller it uses.

Which you're probably going to need to do if you have multiple sites across slow WAN links. Splunk doesn't use AD site information to pick a local domain controller so a light forwarder in New York may use the domain controller in London for example. This greatly slows down indexing so be careful.

erga00 · ‎07-24-2012

I was told this issue was fixed in Splunk 4.3 but I haven't tested as I'm still running an older release.

bojanz · ‎07-24-2012

Do you know if ENH-4128 got implemented? I'm seeing some forwarders have DsBind errors and am wondering if manually setting evt_dns_name could help these errors go away?

erga00 · ‎05-02-2011

No problem.

By the way, I've logged enhancement request (ENH-4128) to have Splunk automatically choose a domain controller in the same site.

pj · ‎05-02-2011

Many thanks for the clarification

Windows SID Resolving in Splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation