Why are we not receiving Windows event logs from o...

amunro · ‎08-20-2015

When setting up a Splunk forwarder for monitoring a Windows server, we receive performance metrics, but not Windows events. When I enter the application log's data input settings and ask it to look for logs on the server I am given the following error:

'win-wmi-enum-eventlogs': Admin handler 'win-wmi-enum-eventlogs' not found.

I suspect this is something related to my issue as the forwarder doesn't seem to be able to enumerate the event logs on the server and I am having trouble receiving logs from this server. Is this a known error or is this likely to be an issue with the Windows Server?

The forwarder is version 6.2.5 and is being run as the local system, the server is a domain controller and I've tried running it as system and as the domain administrator.

Richfez · ‎08-20-2015

What does the stanza for one of those inputs look like?

I don't have access to my DC at the moment, but I think the UF on the local system shouldn't be using WMI for this, but instead should have stanzas like the below in inputs.conf:

[WinEventLog://Application]
... stuff in here...

Richfez · ‎08-21-2015

Shucks, easy answer didn't work. 🙂

On your DC, try
c:\program files\splunkuniversalforwarder\splunk\bin\splunk cmd btool --debug inputs list | clip
Then paste that into your favorite text editor. Obviously fix up your path as required.

Once you have that, search for a few things and see what it says. One would be to search for/find the stanza for your wineventlog://application, so search for that -
[WinEventLog://Application]
Maybe it could be useful to see what shows up if you search for wmi, too - that might need to be repeated a few times to find the right sections.

If you haven't read btool output before it can be a bit overwhelming at first, but it really is a bit more straightforward than it first looks. Here's docs for usage of btool. I haven't found anything great on how to read it, but really, it's not as hard as it looks if you give it a shot.

amunro · ‎08-21-2015

C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf [WinEventLog://Application]

The same shows up for all of the logs I want to monitor. Oddly enough the logs now seem to be pulled OK once I explicitly declare the root directory, but the logs are going into the wrong index; hitting 'wineventlog' instead of 'main' and meaning the search for the host doesn't show them. Still, I suspect that this is something I need to configure on the log server and not an issue with the client.

amunro · ‎08-21-2015

Apparently SPLUNK_HOME isn't set, which is odd because I've defined it as an environment variable so I'm guessing it's missing from one of the head-end config files, I'll get this fixed and read through the input as soon as I can, thanks for your help.

EDIT: SPLUNK_HOME isn't explicitly set but the default directory for it (one above .\etc) should be correct. In addition when I uncomment the explicit definition in splunk-launch.conf the reporting tool starts working.

amunro · ‎08-21-2015

Thanks for the reply.

I had a look in SPLUNKDIR\etc\apps\Splunk_TA_windows\local\input.conf and I found the following entries for the event logs:

[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0

This just seems to be a switch to toggle them on and off so is there anywhere else I should be looking for configuration? I notice the template file has far more options for each log but I also notice it doesn't have any source definition options.

Why are we not receiving Windows event logs from our domain controller and getting error "Admin handler 'win-wmi-enum-eventlogs' not found"?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk