I have 4 Windows domain controllers running the Splunk light forwarder (version 4.1.6). I'm forwarding the local security event log from all 4 of them. 2 of the 4 are running Windows 2008 Core Server. When I look at events coming from these 2 servers, the message portion of the event contains this error:
Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt.
FormatMessage error: The parameter is incorrect.
Anyone experience a similar problem? Or have you been successful in reading event viewer logs with Splunk on win2k8 core?
Splunk doesn't go to the .dll to get this info...the windows event viewer does. Look at your windows event logs locally and I will bet you are getting the same message. If it is your security log you are probably missing the msaudite.dll file under system32 folder along with security subkey under the hklmsystemcurrentcontrolsetserviceseventlogsecurity.
If it is in the app or system event log you are missing the registry hives for those events. You can just copy them over from a working machine.
One of my customers have been experiencing this problem as well.
From what we can see / have found out it, it seems related to windows rm (remote-management) and the format windows writes it eventlogs in. Try to change the the format of the eventlogs written and i think it should solved.
To list event logs subscriptions ;
wecutil es < list existing subsc.
wecutil gs < get subscription info
wecutil ss /cf:events < changing from the format from rendered text to events.
Try it out! - Hope it can help someone
( i have seen this issue in many threads and i have also seen somehow that people blaming splunk for it, but it seems to be a Windows-side error ) ;)