Refine your search:

Windows Event Logs stop forwarding - why?

0

I have Splunk forwarder installed on many Windows 2008 systems, and recently, the Windows Event logs stopped showing up in my searches, even though forwarding of them is enabled in my /local/inputs.conf

[WinEventLog:Application]
disabled = 0

[WinEventLog:System]
disabled = 0

This just stopped working at 00:00 on 6/1.

I should have also mentioned that we are running 4.05 for the forwarders.

This was working for quite a while and just stopped. I'm unable to get it working again. Any ideas?

Thanks.

asked 09 Jun '10, 03:19

cpenkert's gravatar image

cpenkert
1831113
accept rate: 25%

edited 21 Jul '10, 22:03

Lowell's gravatar image

Lowell ♦
11.1k91289
2 Answers:
oldestnewestmost voted
0

This could be one of a number of reasons, usually related to either a network or a config change of some sort. If it happened on one of your forwarders my first suspicion would be an issue with either that server or the Splunk config on the forwarder instance, if it's affecting all of your forwarders I would suspect the config on your indexer instance to have a problem, or a more general network issue.

We have some general troubleshooting steps you can try documented here

link

answered 09 Jun '10, 19:01

Mick's gravatar image

Mick ♦
4.4k8742
accept rate: 52%

all other data from these machines is making it to the indexer just fine. It is only the EventLog entries that aren't getting to the indexer. No resolution in the troubleshooting link that was attached.

(10 Jun '10, 13:54) cpenkert

I opened a case for this and we are still working on finding out the cause...once I get an answer, I'll post it back here.

(06 Jul '10, 00:57) cpenkert
0

I have had this.

Basically the LastAccess time on your log file does NOT necessarily get updated by Windows 2008 installations, if your logging application keeps the file open. Apparently this is an 'optimisation' by Microsoft.

So, in your inputs.conf try the following:

# This flag set for 2008 installations which DONT update LastAccessTime!!
alwaysOpenFile = 1

Be aware that this impacts performance (or so I'm told)

link

answered 17 Feb '11, 17:45

stuartamurray's gravatar image

stuartamurray
5917
accept rate: 0%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×635
×144
×47

Asked: 09 Jun '10, 03:19

Seen: 2,006 times

Last updated: 01 Apr '11, 17:22

Related questions

Windows eventlog stops forwarding

Forwarding Saved Windows Events

Universal Forwarder Not Forwarding Windows Event Logs

ERROR WinEventLogChannel - initOld: Failed to initialize checkpoint for Windows Event Log channel 'Security' Host is no longer forwarding WinEventLog:Security to the Linux indexer.

Forwarders on Win 2008 SP1 stop forwarding events

Error reading security event log messages on Windows 2008 Core Server

Windows 2003 Event Logs

setting destination index for win light forwarder

Configure interval for forwarding Windows Event Logs to Forwarder

Copyright © 2005-2012 Splunk Inc. All rights reserved.