In my environment our AD servers don't locally log the correct event IDs for UDT to work correctly but they do forward those logs to Splunk. It would be nice if those logs could be read from Splunk instead of only from AD.
I can appreciate the idea. But don't you think the AD servers need to be adjusted so they record the transactions correctly? I think treating the cause will result in UDT working the way you need, instead of turning to Splunk as a work-around for a symptom.
Offered in a gentle and friendly manner. I don't walk in your shoes, don't know the trials and tribulations it'll take to make the modifications to AD in your environment so it works the way it does here, where all I needed was the right permissions for my UDT system account to get that data from AD.
