Splunk Search

Does splunk-wmi use the evt_resolve_ad_obj directive with remote "pulled" event logs?

Path Finder

I'm able to pull the events fine with the config below, but the GUIDs aren't being expanded. I've tried evt_resolve_ad_obj = 1 in both props.conf and wmi.conf - no results either way.

disabled = 0
index = eventlog_filtering_test
evt_resolve_ad_obj = 1

[WMI:DC Event Logs]
disabled = 0
event_log_file =  Security
evt_resolve_ad_obj = 1
interval = 5
server = a-dc-01.xyz.dev1

See the event sample here. Note the %{0fab7c44-78be-4a51-aedd-184e673399f3}, which should be an LDAP DN. I think this would work if I pulled the event from a local log (splunk-winevtlog.exe) but not via remote (splunk-wmi.exe).

CategoryString=Directory Service Access
Type=Audit Success
Message=An operation was performed on an object.

Subject :
        Security ID:            S-1-5-21-2936888650-2301900656-1271333847-1105
        Account Name:           john.doe
        Account Domain:         XYZ
        Logon ID:               0x2dfce05

        Object Server:          DS
        Object Type:            %{bf967a9c-0de6-11d0-a285-00aa003049e2}
        Object Name:            %{0fab7c44-78be-4a51-aedd-184e673399f3}
        Handle ID:              0x0

        Operation Type:         Object Access
        Accesses:               Write Property

        Access Mask:            0x20
        Properties:             Write Property

Has anyone gotten this working?


Tags (3)

Splunk Employee
Splunk Employee

We don't document that evt_resolve_ad_obj has any effect for WMI inputs. It's only documented for the inputs.conf file for [WinEventLog:] formatted inputs, and that's the only place this setting is observed/used.

Path Finder

Do you have any update on when Splunk will support this for WMI? It makes sense that events from WMI have same format as they are gotten locally. Any bug or enhancement number for this issue?

0 Karma


Just bumping this one as it still is an issue in the current version of Splunk.


Based on my further testing splunk-wmi.exe completely ignores the evt_resolve_ad_obj flag. When pulling from Windows 2003, WMI always resolves the GUIDs to Distinguished Names. When pulling from Windows 2008, WMI never resolves the GUIDs to Distinguished Names.

Feature request: Add support for evt_resolve_ad_obj to Splunk WMI.

Hugh's example is a Windows 2008 security log. I've also tested with splunk-4.2.1-98164-x64-release.msi, splunkforwarder-4.2.1-98164-x64-release.msi, and splunkforwarder-4.2-96430-x64-release.msi pulling security logs over WMI from a Windows 2003 Domain Controller. I've also tested with splunk-4.2.1-98164-x64-release.msi pulling security logs over WMI from a Windows 2008 R2 Domain Controller.

I've tried evt_resolve_ad_obj = 1 and evt_resolve_ad_obj = 0 in each of these config stanzas:


[WMI:DC Security Log]
disabled = 0
event_log_file = Security
evt_resolve_ad_obj = 0
index = default
interval = 5
server =


evt_resolve_ad_obj = 0
disabled = 0

evt_resolve_ad_obj = 0

evt_resolve_ad_obj = 0

In our case, we're specifically interested in pulling raw guids from the Windows Security Log "Object Name" field on 2003 and the Object "GUID" field on 2008. The Windows 2008 default is in line with our goal. But our goal is opposite Hugh's goal of pulling the resolved names, hence the need for a flag to turn it on and off.

Path Finder

What i got is a little bit different: 2003 WMI events always translate SID and always not translate GUID regardless the value of evt_resolve_ad_obj set on forwarder.

0 Karma


I can't get Splunk to respect the evt_resolve_ad_obj setting for WMI either. I'm having a similar problem where I want the Security Log to have GUIDs instead of resolving Distinguished Names (opposite of your problem). I've put evt_resolve_ad_obj=0 in several stanzas of inputs.conf but no dice! I'm running a Splunk 4.2.1 forwarder on Windows 2003 R2.

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...