Splunk Search

Does splunk-wmi use the evt_resolve_ad_obj directive with remote "pulled" event logs?

hughkelley
Path Finder

I'm able to pull the events fine with the config below, but the GUIDs aren't being expanded. I've tried evt_resolve_ad_obj = 1 in both props.conf and wmi.conf - no results either way.

#inputs.conf
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
index = eventlog_filtering_test
evt_resolve_ad_obj = 1

#wmi.conf
[WMI:DC Event Logs]
disabled = 0
event_log_file =  Security
evt_resolve_ad_obj = 1
interval = 5
server = a-dc-01.xyz.dev1

See the event sample here. Note the %{0fab7c44-78be-4a51-aedd-184e673399f3}, which should be an LDAP DN. I think this would work if I pulled the event from a local log (splunk-winevtlog.exe) but not via remote (splunk-wmi.exe).

Category=14080
CategoryString=Directory Service Access
ComputerName=A-DC-01.xyz.dev1
EventCode=4662
EventIdentifier=4662
EventType=4
Logfile=Security
RecordNumber=4882247
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20110408172310.201214-000
TimeWritten=20110408172310.201214-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=An operation was performed on an object.

Subject :
        Security ID:            S-1-5-21-2936888650-2301900656-1271333847-1105
        Account Name:           john.doe
        Account Domain:         XYZ
        Logon ID:               0x2dfce05

Object:
        Object Server:          DS
        Object Type:            %{bf967a9c-0de6-11d0-a285-00aa003049e2}
        Object Name:            %{0fab7c44-78be-4a51-aedd-184e673399f3}
        Handle ID:              0x0

Operation:
        Operation Type:         Object Access
        Accesses:               Write Property

        Access Mask:            0x20
        Properties:             Write Property
                {e48d0154-bcf8-11d1-8702-00c04fb96050}
                        {bf967950-0de6-11d0-a285-00aa003049e2}
        {bf967a9c-0de6-11d0-a285-00aa003049e2}

Has anyone gotten this working?

Hugh

Tags (3)

jrodman
Splunk Employee
Splunk Employee

We don't document that evt_resolve_ad_obj has any effect for WMI inputs. It's only documented for the inputs.conf file for [WinEventLog:] formatted inputs, and that's the only place this setting is observed/used.

tonopahtaos
Path Finder

Do you have any update on when Splunk will support this for WMI? It makes sense that events from WMI have same format as they are gotten locally. Any bug or enhancement number for this issue?

0 Karma

Corey
Explorer

Just bumping this one as it still is an issue in the current version of Splunk.

davidtwamley
Explorer

Based on my further testing splunk-wmi.exe completely ignores the evt_resolve_ad_obj flag. When pulling from Windows 2003, WMI always resolves the GUIDs to Distinguished Names. When pulling from Windows 2008, WMI never resolves the GUIDs to Distinguished Names.

Feature request: Add support for evt_resolve_ad_obj to Splunk WMI.

Hugh's example is a Windows 2008 security log. I've also tested with splunk-4.2.1-98164-x64-release.msi, splunkforwarder-4.2.1-98164-x64-release.msi, and splunkforwarder-4.2-96430-x64-release.msi pulling security logs over WMI from a Windows 2003 Domain Controller. I've also tested with splunk-4.2.1-98164-x64-release.msi pulling security logs over WMI from a Windows 2008 R2 Domain Controller.

I've tried evt_resolve_ad_obj = 1 and evt_resolve_ad_obj = 0 in each of these config stanzas:

wmi.conf

[WMI:DC Security Log]
disabled = 0
event_log_file = Security
evt_resolve_ad_obj = 0
index = default
interval = 5
server = 192.168.0.2

inputs.conf

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
evt_resolve_ad_obj = 0
disabled = 0

[WMI:WinEventLog:Security]
evt_resolve_ad_obj = 0

[WinEventLog:Security]
evt_resolve_ad_obj = 0

In our case, we're specifically interested in pulling raw guids from the Windows Security Log "Object Name" field on 2003 and the Object "GUID" field on 2008. The Windows 2008 default is in line with our goal. But our goal is opposite Hugh's goal of pulling the resolved names, hence the need for a flag to turn it on and off.

tonopahtaos
Path Finder

What i got is a little bit different: 2003 WMI events always translate SID and always not translate GUID regardless the value of evt_resolve_ad_obj set on forwarder.

0 Karma

davidtwamley
Explorer

I can't get Splunk to respect the evt_resolve_ad_obj setting for WMI either. I'm having a similar problem where I want the Security Log to have GUIDs instead of resolving Distinguished Names (opposite of your problem). I've put evt_resolve_ad_obj=0 in several stanzas of inputs.conf but no dice! I'm running a Splunk 4.2.1 forwarder on Windows 2003 R2.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...