Refine your search:

I have 4 Windows domain controllers running the Splunk light forwarder (version 4.1.6). I'm forwarding the local security event log from all 4 of them. 2 of the 4 are running Windows 2008 Core Server. When I look at events coming from these 2 servers, the message portion of the event contains this error:

Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt.

FormatMessage error: The parameter is incorrect.

Anyone experience a similar problem? Or have you been successful in reading event viewer logs with Splunk on win2k8 core?

asked 25 Jan '11, 18:58

Jeremiah's gravatar image

accept rate: 25%

What are the event code(s) associated with these events (or is it occuring for all events)?

I just tested this right now with a brand new Win2k8 Standard Core install, without any problems.

How long have these systems been up? Have they had patches applied? This reeks of a corrupt DLL somewhere, in particular MSObjs.dll, MSauditE.dll, and NTMarta.dll.

(10 Feb '11, 02:08) malmoore ♦

2 Answers:

Splunk doesn't go to the .dll to get this info...the windows event viewer does. Look at your windows event logs locally and I will bet you are getting the same message. If it is your security log you are probably missing the msaudite.dll file under system32 folder along with security subkey under the hklmsystemcurrentcontrolsetserviceseventlogsecurity. If it is in the app or system event log you are missing the registry hives for those events. You can just copy them over from a working machine.


answered 10 Jul '12, 12:29

mship's gravatar image

accept rate: 0%

One of my customers have been experiencing this problem as well. From what we can see / have found out it, it seems related to windows rm (remote-management) and the format windows writes it eventlogs in. Try to change the the format of the eventlogs written and i think it should solved.

To list event logs subscriptions ;

wecutil es < list existing subsc. wecutil gs < get subscription info wecutil ss <name-of-sub> /cf:events < changing from the format from rendered text to events.

Try it out! - Hope it can help someone ( i have seen this issue in many threads and i have also seen somehow that people blaming splunk for it, but it seems to be a Windows-side error ) ;)


answered 11 Feb '13, 06:46

lmyrefelt's gravatar image

accept rate: 9%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions



Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 25 Jan '11, 18:58

Seen: 2,938 times

Last updated: 11 Feb '13, 06:46

Copyright © 2005-2014 Splunk Inc. All rights reserved.