Splunk Search
Highlighted

Does splunk-wmi use the evt_resolve_ad_obj directive with remote "pulled" event logs?

Path Finder

I'm able to pull the events fine with the config below, but the GUIDs aren't being expanded. I've tried evt_resolve_ad_obj = 1 in both props.conf and wmi.conf - no results either way.

#inputs.conf
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
index = eventlog_filtering_test
evt_resolve_ad_obj = 1

#wmi.conf
[WMI:DC Event Logs]
disabled = 0
event_log_file =  Security
evt_resolve_ad_obj = 1
interval = 5
server = a-dc-01.xyz.dev1

See the event sample here. Note the %{0fab7c44-78be-4a51-aedd-184e673399f3}, which should be an LDAP DN. I think this would work if I pulled the event from a local log (splunk-winevtlog.exe) but not via remote (splunk-wmi.exe).

Category=14080
CategoryString=Directory Service Access
ComputerName=A-DC-01.xyz.dev1
EventCode=4662
EventIdentifier=4662
EventType=4
Logfile=Security
RecordNumber=4882247
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20110408172310.201214-000
TimeWritten=20110408172310.201214-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=An operation was performed on an object.

Subject :
        Security ID:            S-1-5-21-2936888650-2301900656-1271333847-1105
        Account Name:           john.doe
        Account Domain:         XYZ
        Logon ID:               0x2dfce05

Object:
        Object Server:          DS
        Object Type:            %{bf967a9c-0de6-11d0-a285-00aa003049e2}
        Object Name:            %{0fab7c44-78be-4a51-aedd-184e673399f3}
        Handle ID:              0x0

Operation:
        Operation Type:         Object Access
        Accesses:               Write Property

        Access Mask:            0x20
        Properties:             Write Property
                {e48d0154-bcf8-11d1-8702-00c04fb96050}
                        {bf967950-0de6-11d0-a285-00aa003049e2}
        {bf967a9c-0de6-11d0-a285-00aa003049e2}

Has anyone gotten this working?

Hugh

Tags (3)
Highlighted

Re: Does splunk-wmi use the evt_resolve_ad_obj directive with remote "pulled" event logs?

Explorer

I can't get Splunk to respect the evtresolveadobj setting for WMI either. I'm having a similar problem where I want the Security Log to have GUIDs instead of resolving Distinguished Names (opposite of your problem). I've put evtresolveadobj=0 in several stanzas of inputs.conf but no dice! I'm running a Splunk 4.2.1 forwarder on Windows 2003 R2.

Highlighted

Re: Does splunk-wmi use the evt_resolve_ad_obj directive with remote "pulled" event logs?

Explorer

Based on my further testing splunk-wmi.exe completely ignores the evtresolvead_obj flag. When pulling from Windows 2003, WMI always resolves the GUIDs to Distinguished Names. When pulling from Windows 2008, WMI never resolves the GUIDs to Distinguished Names.

Feature request: Add support for evtresolvead_obj to Splunk WMI.

Hugh's example is a Windows 2008 security log. I've also tested with splunk-4.2.1-98164-x64-release.msi, splunkforwarder-4.2.1-98164-x64-release.msi, and splunkforwarder-4.2-96430-x64-release.msi pulling security logs over WMI from a Windows 2003 Domain Controller. I've also tested with splunk-4.2.1-98164-x64-release.msi pulling security logs over WMI from a Windows 2008 R2 Domain Controller.

I've tried evtresolveadobj = 1 and evtresolveadobj = 0 in each of these config stanzas:

wmi.conf

[WMI:DC Security Log]
disabled = 0
event_log_file = Security
evt_resolve_ad_obj = 0
index = default
interval = 5
server = 192.168.0.2

inputs.conf

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
evt_resolve_ad_obj = 0
disabled = 0

[WMI:WinEventLog:Security]
evt_resolve_ad_obj = 0

[WinEventLog:Security]
evt_resolve_ad_obj = 0

In our case, we're specifically interested in pulling raw guids from the Windows Security Log "Object Name" field on 2003 and the Object "GUID" field on 2008. The Windows 2008 default is in line with our goal. But our goal is opposite Hugh's goal of pulling the resolved names, hence the need for a flag to turn it on and off.

Highlighted

Re: Does splunk-wmi use the evt_resolve_ad_obj directive with remote "pulled" event logs?

Path Finder

What i got is a little bit different: 2003 WMI events always translate SID and always not translate GUID regardless the value of evtresolvead_obj set on forwarder.

0 Karma
Highlighted

Re: Does splunk-wmi use the evt_resolve_ad_obj directive with remote "pulled" event logs?

Explorer

Just bumping this one as it still is an issue in the current version of Splunk.

Highlighted

Re: Does splunk-wmi use the evt_resolve_ad_obj directive with remote "pulled" event logs?

Splunk Employee
Splunk Employee

We don't document that evtresolvead_obj has any effect for WMI inputs. It's only documented for the inputs.conf file for [WinEventLog:] formatted inputs, and that's the only place this setting is observed/used.

Highlighted

Re: Does splunk-wmi use the evt_resolve_ad_obj directive with remote "pulled" event logs?

Path Finder

Do you have any update on when Splunk will support this for WMI? It makes sense that events from WMI have same format as they are gotten locally. Any bug or enhancement number for this issue?

0 Karma