- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to troubleshoot why Splunk is generating Event...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk appears to be calling "Win32_Product" WMI function that triggers a consistency check of installed applications causing numberous 1035 event codes to be generated in the event log (approximately 100 every 10 minutes). It appears to correlate nicely with perfmon queries.
eventtype="wineventlog_windows" sourcetype="WinEventLog:*" EventCode=1035 SourceName=MsiInstaller
I can confirm that, through PowerShell, executing "Get-WmiObject Win32_Product" does indeed trigger the 1035 events/
I've looked through our configs and have verified that we are not running a Win32_Product WMI query explicitly and I verified that running the Splunk command 'splunk-wmi' does not trigger the generation of 1035 events.
Not all machines exhibit this problem and we have not been able to determine a pattern on why some are affected and others are not.
Software
- Windows Server 2012
- Splunk Universal Forwarder 6.2.2
More information in Microsoft KB article:
- Event log message indicates that the Windows Installer reconfigured all installed applications: https://support.microsoft.com/en-us/kb/974524
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This problem was fixed in Splunk 6.3.0. I've personally verified it with Splunk 6.3.2 Universal Forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have problem with splunk generating multiple events with event id 1035 generated by MsiInstaller. I have upgraded Splunk from 7.0.0 to 7.3.1, still no use. We are running on Windows Server 2016. Any help would be much appreciated. Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Note that the every 10 minutes issue for us appears to be tied to WinHostMon stanzas. The default interval for WinHostMon is every 10 minutes. Procmon is currently set to every 1 minute for us so I don't believe this to be causing the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This problem was fixed in Splunk 6.3.0. I've personally verified it with Splunk 6.3.2 Universal Forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have same problem. Applications Event logs are filled with multiple events with id 1035 generated by MsiInstaller. I upgraded Splunk from 7.0.0 to 7.3.1, still no use. We are running on Windows Server 2016. Any help would be much appreciated. Thanks in advance.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
