Since I deployed the windows app on my forwarder, I am seeing crashes reported in my windows event logs. But splunk is still running, and there is no crash in my $SPLUNK_HOME/var/log/splunk. Why !!!!!
Please check if your windows app is correctly setup.
By default the functionality to resolve Objects names using AD is enables, but the AD name is not filled.
" If you've added some non-standard event log channels and you want to specify whether Active Directory objects like GUIDs and SIDs are resolved for a given Windows event log channel, you can turn on the evt_resolve_ad_obj setting (1=enabled, 0=disabled) for that channel's stanza in your local copy of inputs.conf. evt_resolve_ad_obj is on by default for the Security channel."
the default is
[default] evt_resolve_ad_obj = 1 evt_dc_name = evt_dns_name =
and to fix it you have to edit $SPLUNK_HOME/etc/apps/windows/local/inputs.conf :
[default] evt_resolve_ad_obj =0
evt_dc_name = MYADSERVER.MYDOMAIN.COM # second is optional evt_dns_name = the_Fully-qualified_DNS_name_of_the_domain
see examples here http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf and here http://www.splunk.com/base/Documentation/4.2/Data/MonitorWindowsdata
Please check if your windows app is correctly setup.
By default the functionality to resolve Objects names using AD is enables, but the AD name is not filled.
" If you've added some non-standard event log channels and you want to specify whether Active Directory objects like GUIDs and SIDs are resolved for a given Windows event log channel, you can turn on the evt_resolve_ad_obj setting (1=enabled, 0=disabled) for that channel's stanza in your local copy of inputs.conf. evt_resolve_ad_obj is on by default for the Security channel."
the default is
[default] evt_resolve_ad_obj = 1 evt_dc_name = evt_dns_name =
and to fix it you have to edit $SPLUNK_HOME/etc/apps/windows/local/inputs.conf :
[default] evt_resolve_ad_obj =0
evt_dc_name = MYADSERVER.MYDOMAIN.COM # second is optional evt_dns_name = the_Fully-qualified_DNS_name_of_the_domain
see examples here http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf and here http://www.splunk.com/base/Documentation/4.2/Data/MonitorWindowsdata
the crashes are not splunkd crashes, but events logged in the windows event log about a process failing (splunk scripted windows inputs calling the AD API)
Do these crash events have any telltales? There could be crashes for other reasons.