For Wineventlog, Event ID captures User info, but ...

rbal_splunk · ‎07-30-2015

Issue is that for the Wineventlog for Application channel EventCode=11707 and EventCode=11724, intermittently _raw data User is reported as “User=NOT_TRANSLATED”

dgrubb_splunk · ‎01-25-2017

Have you verified that the WinEventLog: Application input stanza is configured to translate:

e.g.

[WinEventLog:Application]
evt_resolve_ad_obj = 1

inputs.conf.spec:

evt_resolve_ad_obj = [1|0]
* How the input should interact with Active Directory while indexing Windows
Event Log events.
* If you set this setting to 1, the input resolves the Active
Directory Security IDentifier (SID) objects to their canonical names for
a specific Windows Event Log channel.
* If you enable the setting, the rate at which the input reads events
on high-traffic Event Log channels can decrease. Latency can also increase
during event acquisition. This is due to the overhead involved in performing
AD translations.
* When you set this setting to 1, you can optionally specify the domain
controller name or dns name of the domain to bind to with the 'evt_dc_name'
setting. The input connects to that domain controller to resolve the AD
objects.
* If you set this setting to 0, the input does not attempt any resolution.
* Defaults to 0 (disabled) for all channels.

For Wineventlog, Event ID captures User info, but why does Splunk raw data show user User=NOT_TRANSLATED?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies