Getting Data In

windows forwarder unable to add application,system and security event logs?

remy06
Contributor

Hi,

I've a forwarder(v4.1.3) installed on a W2K DC and has been configured to forward Application,System and security logs to our indexer.Everything was ok until I've discovered that the forwarder has actually stopped sending System and Security logs since few months back...The indexer continue to receive Application logs.

I went to check on the forwarder and it prompts that the license has expired!(I was using the forwarder license and in splunkweb it shows the license as forwarder as well).I've tried to re-include the forwarder license and restart splunk but it still prompts as expired.Thinking this may be problem,I upgraded the forwarder to v4.1.5 which is same as the indexer and setup the forwarder license again.

Now I tried to add the Application,System and Security event logs but it doesn't seem to work at all now. I don't receive any events on the indexer after that.

1 Solution

jbsplunk
Splunk Employee
Splunk Employee

Hi Remy

What kind of an input is collecting this data? It could be that your checkpoint has become corrupt and you need to clean remove the problematic channels(App, Security, Event)

Are you seeing any errors in splunkd.log related to the input?

View solution in original post

jbsplunk
Splunk Employee
Splunk Employee

Hi Remy

What kind of an input is collecting this data? It could be that your checkpoint has become corrupt and you need to clean remove the problematic channels(App, Security, Event)

Are you seeing any errors in splunkd.log related to the input?

remy06
Contributor

Hi,I've tried your suggestion and have started receiving events already.Although in splunkweb the 3 channels doesn't show,I guess it doesn't matter.Thanks.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

You could do this by removing the checkpoint files. By default, they are in

C:\Program Files\Splunk\var\lib\splunk\persistentstorage\WinEventLog\

The files are Security_Checkpoint, Application_Checkpoint, and System_Checkpoint. Stop splunk, rename them to .old and move them out of the way, then restart. If the checkpoint is corrupt, this should take care of the problem.

0 Karma

remy06
Contributor

I've also checked splunkd.log.There isn't seem to be any error.How can I completely remove the channels and add them back again?

0 Karma

remy06
Contributor

local event log collection.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

Sorry, I am still a bit unclear about which mechanism is being used. You are using local, or remote event log collection?

0 Karma

remy06
Contributor

Hi,

I've installed a forwarder on the DC,configured via splunkweb data inputs to collect App,security,system events.

I've tried removing the channels initially when I first realised the problem,but when I tried adding them back,splunk wasn't able to save it as the channels are not reflected in the local event collectors.I've also tried adding them manually in input.conf but it doesn't work.

So I went ahead to upgrade to v4.1.5 and was able to add them back and the 3 channels are reflected in the local event collectors now.However,it doesn't seem to be indexing any events

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...