Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

WinEventLog information from WMI isn't making it to the indexer.

DerekB
Splunk Employee
Splunk Employee
‎10-09-2012 10:23 AM

All of my .conf files are setup correctly yet I still can't get any WinEventLog information via WMI into my indexer. What am I missing?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

DerekB
Splunk Employee
Splunk Employee
‎10-09-2012 10:24 AM

After turning on debug logging on the ExecProcessor, we found the following:

10-05-2012 17:03:40.116 -0600 DEBUG ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-wmi.exe"" WMI - getEventLogWql: DESC: chk=4294967295, low=4294967294, hi=4294967295 (ad2.uheaa.ushe.local: Security)
10-05-2012 17:03:40.116 -0600 DEBUG ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-wmi.exe"" WMI - Event log wql "SELECT Category, CategoryString, ComputerName, EventCode, EventIdentifier, EventType, Logfile, Message, RecordNumber, SourceName, TimeGenerated, TimeWritten, Type, User FROM Win32_NTLogEvent WHERE Logfile = "Security" AND RecordNumber > 4294967294" (ad2.uheaa.ushe.local: Security)

The problem is the current record number is 13902929. With the query looking for a number greater than 4294967294, it would never pick up the information.

It appears that once the RecordNumber for an event log event exceeds 4,294,967,296, WMI can no longer query using the RecordNumber as a numeric criteria.
It appears that the wmi class can only hold numbers up to 2^32 or 4,294,967,296 while the event log of Server 2008 R2 can hold a number of 2^64.

The question now becomes if it is possible to change the the record number to make it able to be picked up in the query and thusly bring the data into the indexer.
Yes, it can be done. Here is how.

Using the following link, first reset the wmi_checkpoint file for the server that isn't being logged. That allows a one time import of the events but will not give you continuous logging.

http://splunk-base.splunk.com/answers/12245/windows-server-with-corrupted-security-log

Based on the information in the link below, WMI would not be able to query these events unless we can reset the RecordNumber. So let's treat it as if the event log was corrupt.
Follow Microsoft's documentation to delete the security log and allow the system to recreate the log resetting the RecordNumber to 1. Then we can reset the wmi_checkpoint file again and logging should start working.

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/78e6d555-0f5d-4def-92d5-14d3ad6...

http://support.microsoft.com/kb/172156

View solution in original post

Reply
Solved! Jump to solution
Solution

DerekB
Splunk Employee
Splunk Employee
‎10-09-2012 10:24 AM

After turning on debug logging on the ExecProcessor, we found the following:

10-05-2012 17:03:40.116 -0600 DEBUG ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-wmi.exe"" WMI - getEventLogWql: DESC: chk=4294967295, low=4294967294, hi=4294967295 (ad2.uheaa.ushe.local: Security)
10-05-2012 17:03:40.116 -0600 DEBUG ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-wmi.exe"" WMI - Event log wql "SELECT Category, CategoryString, ComputerName, EventCode, EventIdentifier, EventType, Logfile, Message, RecordNumber, SourceName, TimeGenerated, TimeWritten, Type, User FROM Win32_NTLogEvent WHERE Logfile = "Security" AND RecordNumber > 4294967294" (ad2.uheaa.ushe.local: Security)

The problem is the current record number is 13902929. With the query looking for a number greater than 4294967294, it would never pick up the information.

It appears that once the RecordNumber for an event log event exceeds 4,294,967,296, WMI can no longer query using the RecordNumber as a numeric criteria.
It appears that the wmi class can only hold numbers up to 2^32 or 4,294,967,296 while the event log of Server 2008 R2 can hold a number of 2^64.

The question now becomes if it is possible to change the the record number to make it able to be picked up in the query and thusly bring the data into the indexer.
Yes, it can be done. Here is how.

Using the following link, first reset the wmi_checkpoint file for the server that isn't being logged. That allows a one time import of the events but will not give you continuous logging.

http://splunk-base.splunk.com/answers/12245/windows-server-with-corrupted-security-log

Based on the information in the link below, WMI would not be able to query these events unless we can reset the RecordNumber. So let's treat it as if the event log was corrupt.
Follow Microsoft's documentation to delete the security log and allow the system to recreate the log resetting the RecordNumber to 1. Then we can reset the wmi_checkpoint file again and logging should start working.

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/78e6d555-0f5d-4def-92d5-14d3ad6...

http://support.microsoft.com/kb/172156

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...