Getting Data In

UF 6.0.2 on Windows 2008 R2: could not get description for this event

FloydATC
Explorer

I see this was a known issue with older versions of the Universal Forwarder but I keep getting these error messages on fresh installs using version 6.0.2:

"Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt."

This seems to happen mostly for System events and sporadically for Application events. The other event types appear to be OK.

If it makes any difference, the indexer is running 6.0.2 on Linux.

0 Karma
1 Solution

wcolgate_splunk
Splunk Employee
Splunk Employee

If you'd be willing to turn on debug tracing, we may be able to help one another get to the bottom of this. Turning on debug may make the splunkd.log file chatty. When a Windows event fails the FormatMessage() call (http://msdn.microsoft.com/en-us/library/windows/desktop/ms679351(v=vs.85).aspx), if debug is enabled, we will log a message to what the Windows error is.

To turn on debug tracing, you will need to modify two .cfg files:

log.cfg and log-cmdline.cfg, both found in splunk's etc subdirectory.

In log.cfg, change category.ExecProcessor=INFO to category.ExecProcessor=DEBUG

In log-cmdline.cfg add category.splunk-winevtlog=DEBUG

View solution in original post

wcolgate_splunk
Splunk Employee
Splunk Employee

If you'd be willing to turn on debug tracing, we may be able to help one another get to the bottom of this. Turning on debug may make the splunkd.log file chatty. When a Windows event fails the FormatMessage() call (http://msdn.microsoft.com/en-us/library/windows/desktop/ms679351(v=vs.85).aspx), if debug is enabled, we will log a message to what the Windows error is.

To turn on debug tracing, you will need to modify two .cfg files:

log.cfg and log-cmdline.cfg, both found in splunk's etc subdirectory.

In log.cfg, change category.ExecProcessor=INFO to category.ExecProcessor=DEBUG

In log-cmdline.cfg add category.splunk-winevtlog=DEBUG

FloydATC
Explorer

I'm unable to turn on debugging right at this moment but will do so at the first opportunity. Thanks for the tip, I have awarded a point and accepted this as an answer for now.

0 Karma

FloydATC
Explorer

I get the partial event with EventID, Type, LogName etc, but the Message field just contains "could not get description for this event". According to Microsoft, this means the necessary DLL files and/or registry keys for the application that generated the event are unavailable but as the events are logged on the local machine that's obviously not the case. The events in question show perfectly fine in the Event Log viewer. Thus, the only possible explanation is that the UF failed to get the message text for some reason or another. I have spent quite a few hours lately trying to figure out the inner workings of Event Logs and the API is a complete mess.

Now... not for one second will I blame Splunk for not getting this crap to work.

Everyone else in the whole world has been using text logs since the 60's so obviously Microsoft had to "innovate" a log system so bloated, complicated, fragile and brain damaged it can't be used for any real life purpose whatsoever. The only almost reliable way to wrest the logs out of this monster is by the use of Powershell. Just don't expect to be able to run anything else on that server.

I'll stop ranting and go home now.

0 Karma

rmsit
Communicator

I'm having a similar issue with receiving events from a 2008R2 UF. Example, ColdFusion sourcetype yeilds the following:

Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt. FormatMessage error: Got the following information from this event: ColdFusion 9 ODBC Server@LOCALHOST,ErrorCode=2310,ErrorMessage=TCP/IP, connection reset by peer.

How can I fix the formatting issue?

0 Karma

wcolgate_splunk
Splunk Employee
Splunk Employee

The event rendering takes place on the forwarder. Once the event is rendered, it doesn't get annotated or modified in anyway. Do you seen any partial event, or is the event complete hash?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...