|
Hi! I'm just starting out with Splunk and I'm having it index the WinEventLog:Security. When doing a simple search for account logon and logoffs, I get the "Splunk could not get the description...." I am using this as the search string. source="WinEventLog:Security" EventCode=4624 OR EventCode=2625 OR EventCode=4634 Here is the results of the query. -- I can't imagine that Splunk can't interpret a logon event from Windows, and I'm almost sure it's something I'm doing wrong. If anybody has any suggestions, that would be great. Thanks! |
|
This seems to be an issue with 4.3.2 and Windows 2008 WinEvent Logs. I updated all of my forwarders (universal and heavy) to 4.3.2 a few weeks ago and noticed later that I was seeing this error a lot on each of the Windows 2008 forwarders. See this entry. I have a support case open with Splunk but it isn't getting a lot of traction. I downgraded one heavy and one universal forwarder to 4.3.1 and the issue doesn't seem to occur... Anyone know when 4.3.3 is scheduled for release?
(08 Jun '12, 07:27)
reedmohn
|
|
The problem is that Splunk can't get the information from the dll, so that information can't be reliably displayed by us. It could be from a corrupt dll, or that component is actually missing. Splunk doesn't know, what it does know is that it can't get the description, so it gives you a message about the event being incomplete. |
|
Can you provide more info...what version of windows is splunk running on? Are you trying to collect a local event log or remote? Using WMI or Windows TA app? Universal forwarders etc? I just ran this search on a Windows 2008 R2 Splunk server with no errors. I have seen this question before and some responses indicate corrupted .dll's. @mship, I see a similar problem on a Win7 machine running the universal forwarder. For this host, it only happens for one particular event code in the application log, so a corrupted DLL might be the reason. I don't have access to the machine itself at the moment, so I can't verify anything about the local log or the DLLs.
(09 May '12, 06:53)
cphair
Thanks for the information. I'll maybe try to reinstall splunk and see what happens. It's running on Server 2008r2, the 64-bit version. I just configured it to collect the local Windows event logs; the Security, Application, and System logs. Nothing is getting forwarded from anywhere else. I had the Windows App running first, installed the FISMA app, removed the Windows App and replaced it with the Windows TA one. It's also the generic search when it produces it. I'll post my results after the reinstall.
(09 May '12, 08:15)
wiz561
|
|
I uninstalled and reinstalled Splunk 4.3.2, and it seems to still be happening. What I did find out though is that it seems like the events on that it's happening on are noise, and nothing too serious. I'm wondering if it's Splunk saying that the event is junk and even though it's getting reported, it's one of the many ones Windows generates that are meaningless to most people. Would be nice to think so, but I was getting it from the Security Logs on my AD Domain Controllers some of the time. Cycling the SplunkForwarder service would (usually) stop this from happening until the next time the service cycled or the server rebooted. Downgraded all of the DCs to 4.3.1...
(10 May '12, 06:41)
jeff
Wiz - did you reinstall your receiver or forwarder? The receiver must be running the same (or later) version of Splunk as your forwarder. Also Splunk collects data I don't believe it makes any type of decision (unless you tell it to) on whats worthless or not especially since event 4624 is related to account logons.
(10 May '12, 07:25)
mship
Splunk doesn't know what is or isn't meaningless, and doesn't attempt to make those judgements. It is simply telling you that it can't get the event description.
(10 May '12, 07:44)
jbsplunk ♦
|
|
If you have PowerShell enabled you can also make use of WQL and parse the desired fields of the event into a CSV file. Not a direct answer to your question but a good practise if you just need some events or fields.. Tell me if you need a WQL example. |
|
Splunk doesn't go to the .dll to get this info...the windows event viewer does. Look at your windows event logs locally and I will bet you are getting the same message. If it is your security log you are probably missing the msaudite.dll file under system32 folder along with security subkey under the hklmsystemcurrentcontrolsetserviceseventlogsecurity. If it is in the app or system event log you are missing the registry hives for those events. You can just copy them over from a working machine. |