Refine your search:

Why is Windows App producing Event Log Errors?

0

I'm receiving many errors (to the tune of 20GB/day from one server) in my _internal from a light forwarder.

Target: Windows 2k8 Splunk 4.1.5 running as local system Light Forwarder Desc: Splunk test forwarder. I am testing splunk as a log forwarder on windows, and this box is used for that purpose. No apps are actively running on the box (such as web servers etc) that would generate extra logs.

Indexer: RHEL 5 Splunk 4.1.3

Problem: In 15 minutes I receive 1,262,353 events from the Target server on my '_internal' database. 25% of these logs are "WinEventLogChannel - getBookMark: No checkpoint file available". Other errors that appear to occur significantly are "WinEventLogInputProcessor - main-thread: Failed to initialize Window Event Log 'various'" and "WiEventLogChannel - init: Init failed, unable to subscribe to Windows Event Log channel 'various'"

These errors sound like the Splunk instance is having trouble accessing certain windows logs. How do I turn these off, or better yet, grant access to Splunk to index them?

asked 20 Sep '10, 16:02

mbrunetto's gravatar image

mbrunetto
236
accept rate: 0%

edited 20 Sep '10, 17:32

One Answer:
oldestnewestmost voted
0

Splunk Light Forwarders will send internal logs in 4.1.x and above versions of Splunk. To disable them, you can follow the instructions here:

http://answers.splunk.com/questions/4469/how-do-i-tell-my-light-forwarder-to-stop-forwarding-internal-logs

Additionally, you probably have a permissions problem with the user running Splunk on your Windows system. The user running Splunk should have service capability to access system level information.

link

answered 20 Sep '10, 17:30

Simeon's gravatar image

Simeon ♦
3.7k5628
accept rate: 26%

Thanks. That provided me a way to stop my absurdly large log file. Any idea how to check the permissions? The user running Splunk is "Local System", I was pretty sure he had access to everything. I tried changing the splunk user to a different admin account that can view the log files in event viewer, but I still get the same spam errors.

(21 Sep '10, 16:06) mbrunetto

I have been working with Splunk support, and we traced this down. Somehow I had gotten over 400 inputs added to my inputs.conf. Several of these events MS does not allow the logger to attach to and those were producing the errors. By removing the excess inputs, my processor and disk utilization dropped dramatically. The system is now reporting a usable amount of logs and working well.

(23 Sep '10, 15:38) mbrunetto
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×109
×31

Asked: 20 Sep '10, 16:02

Seen: 820 times

Last updated: 05 Apr '11, 17:22

Related questions

why is the windows app generating crash reports in my windows event logs ?

Windows Event Logs and Splunk-Can Splunk be configured to delete event logs?

Monitoring Windows Hyper-V Event Logs

Missing Windows Event Logs?

Windows 2008 Server Event Viewer Logs

Windows Event Logs stop forwarding - why?

building a search on windows event security logs

Filtering Windows event logs

How do I route locally collected Windows event logs to a custom index?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.