Refine your search:

Duplicated windows security event log data with WMI

0

Hello, I am trying to get events of a windows 2003 server (security logs) using splunk+WMI for windows installed on a XP host. If I restart splunk services all events are being duplicated on the indexer. Is it normal or it should not happen?

Thanks in advance and kind regards. Luca.

asked 18 Oct '10, 12:54

cafissimo's gravatar image

cafissimo
1297
accept rate: 100%

edited 18 Oct '10, 14:57

You should not be getting duplicate events. WMI should checkpoint what it already got and only request what it doesn't. Can you paste your configuration?

(27 Oct '10, 18:30) igor ♦
Be the first one to answer this question!
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×109
×98

Asked: 18 Oct '10, 12:54

Seen: 522 times

Last updated: 18 Oct '10, 14:57

Related questions

WMI Filter event log security Category string

WMI Event Log Security Search

building a search on windows event security logs

[closed] WMI event logs manager

Error reading security event log messages on Windows 2008 Core Server

How to configure Splunk to collect windows system & security logs via WMI

How do I configure Splunk to index Windows Event Log data in separate indexes?

ERROR WinEventLogChannel - initOld: Failed to initialize checkpoint for Windows Event Log channel 'Security' Host is no longer forwarding WinEventLog:Security to the Linux indexer.

Windows Event Logs (Server 2003) - can't view "binary data"

Copyright © 2005-2012 Splunk, Inc. All rights reserved.