Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

ForwardedEvents ingestion broken after update to 9.1

PickleRick
SplunkTrust
SplunkTrust
‎09-21-2023 04:29 AM

This is an informational post rather than a question.

If you use WEF to gather logs from your infrastructure to a single point from which you pick them up with

[WinEventLog://ForwardedEvents]

You might notice that this input can stop working after you upgrade to 9.1.0 (or above).

The forwarder will log to splunkd.log errors about wrong event format

Invalid WEC content-format:'Events', for splunk-format = rendered_eventSee the description for the 'wec_event_format' setting at $SPLUNK_HOME/etc/system/README/inputs.conf.spec for more details

 If you go to the inputs.conf spec file (either in the readme directory or on the Splunk website) you'll find the wec_event_format parameter (which was not present in versions up to 9.0.6) which must correspond with the setting in the WEF subscription settings. If the wec_event_format is "wrong" (the most typical situation will be when the WEF subscription is created as Events and the UF uses the default rendered_event value) , you need to set

wec_event_format = raw_event

in your input definition.

Labels (1)
Labels
Tags (2)
Reply

abpe
Path Finder
‎10-31-2023 07:34 AM

It's actually worse.  Splunk doesn't allow you to set the wec_event_format to RenderedText if the channel name doesn't start with ForwardedEvents.

10-20-2023 12:49:20.893 +0200 ERROR ExecProcessor [6396 ExecProcessorSchedulerThread] - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - WinEventLogChannelBase::enumLocalWECSubscriptions: subscription:'Applocker' - Invalid WEC destination channel ACME-WEC-Workstations/Applocker for content format RenderedText. RenderedText format is supported only on ForwardedEvents or custom channels named ForwardedEvents-1, ForwardedEvents-2, etc.Consider creating custom channels as the destination log, or change the content format of the subscription to "Events". See the description for the 'wec_event_format' setting at $SPLUNK_HOME/etc/system/README/inputs.conf.spec for more details.

Also you can't set wec_event_format as 'Events' for ForwardedEvents channel and forget about having mixed events in the same channel.

It's amazing how such a breaking change was introduced under the carpet.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...