Getting Data In

Error reading security event log messages on Windows 2008 Core Server

Jeremiah
Motivator

I have 4 Windows domain controllers running the Splunk light forwarder (version 4.1.6). I'm forwarding the local security event log from all 4 of them. 2 of the 4 are running Windows 2008 Core Server. When I look at events coming from these 2 servers, the message portion of the event contains this error:

Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt.

FormatMessage error: The parameter is incorrect.

Anyone experience a similar problem? Or have you been successful in reading event viewer logs with Splunk on win2k8 core?

0 Karma

lmyrefelt
Builder

One of my customers have been experiencing this problem as well.
From what we can see / have found out it, it seems related to windows rm (remote-management) and the format windows writes it eventlogs in. Try to change the the format of the eventlogs written and i think it should solved.

To list event logs subscriptions ;

wecutil es < list existing subsc.
wecutil gs < get subscription info
wecutil ss /cf:events < changing from the format from rendered text to events.

Try it out! - Hope it can help someone
( i have seen this issue in many threads and i have also seen somehow that people blaming splunk for it, but it seems to be a Windows-side error ) 😉

0 Karma

mship
Path Finder

Splunk doesn't go to the .dll to get this info...the windows event viewer does. Look at your windows event logs locally and I will bet you are getting the same message. If it is your security log you are probably missing the msaudite.dll file under system32 folder along with security subkey under the hklmsystemcurrentcontrolsetserviceseventlogsecurity.
If it is in the app or system event log you are missing the registry hives for those events. You can just copy them over from a working machine.

malmoore
Splunk Employee
Splunk Employee

What are the event code(s) associated with these events (or is it occuring for all events)?

I just tested this right now with a brand new Win2k8 Standard Core install, without any problems.

How long have these systems been up? Have they had patches applied? This reeks of a corrupt DLL somewhere, in particular MSObjs.dll, MSauditE.dll, and NTMarta.dll.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...