When setting up a Splunk forwarder for monitoring a Windows server, we receive performance metrics, but not Windows events. When I enter the application log's data input settings and ask it to look for logs on the server I am given the following error:
'win-wmi-enum-eventlogs': Admin handler 'win-wmi-enum-eventlogs' not found.
I suspect this is something related to my issue as the forwarder doesn't seem to be able to enumerate the event logs on the server and I am having trouble receiving logs from this server. Is this a known error or is this likely to be an issue with the Windows Server?
The forwarder is version 6.2.5 and is being run as the local system, the server is a domain controller and I've tried running it as system and as the domain administrator.
What does the stanza for one of those inputs look like?
I don't have access to my DC at the moment, but I think the UF on the local system shouldn't be using WMI for this, but instead should have stanzas like the below in inputs.conf:
[WinEventLog://Application]
... stuff in here...
Shucks, easy answer didn't work. 🙂
On your DC, try
c:\program files\splunkuniversalforwarder\splunk\bin\splunk cmd btool --debug inputs list | clip
Then paste that into your favorite text editor. Obviously fix up your path as required.
Once you have that, search for a few things and see what it says. One would be to search for/find the stanza for your wineventlog://application, so search for that -
[WinEventLog://Application]
Maybe it could be useful to see what shows up if you search for wmi, too - that might need to be repeated a few times to find the right sections.
If you haven't read btool output before it can be a bit overwhelming at first, but it really is a bit more straightforward than it first looks. Here's docs for usage of btool. I haven't found anything great on how to read it, but really, it's not as hard as it looks if you give it a shot.
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf [WinEventLog://Application]
The same shows up for all of the logs I want to monitor. Oddly enough the logs now seem to be pulled OK once I explicitly declare the root directory, but the logs are going into the wrong index; hitting 'wineventlog' instead of 'main' and meaning the search for the host doesn't show them. Still, I suspect that this is something I need to configure on the log server and not an issue with the client.
Apparently SPLUNK_HOME isn't set, which is odd because I've defined it as an environment variable so I'm guessing it's missing from one of the head-end config files, I'll get this fixed and read through the input as soon as I can, thanks for your help.
EDIT: SPLUNK_HOME isn't explicitly set but the default directory for it (one above .\etc) should be correct. In addition when I uncomment the explicit definition in splunk-launch.conf the reporting tool starts working.
Thanks for the reply.
I had a look in SPLUNKDIR\etc\apps\Splunk_TA_windows\local\input.conf and I found the following entries for the event logs:
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
This just seems to be a switch to toggle them on and off so is there anywhere else I should be looking for configuration? I notice the template file has far more options for each log but I also notice it doesn't have any source definition options.