- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- WinEventLog information from WMI isn't making it t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All of my .conf files are setup correctly yet I still can't get any WinEventLog information via WMI into my indexer. What am I missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After turning on debug logging on the ExecProcessor, we found the following:
10-05-2012 17:03:40.116 -0600 DEBUG ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-wmi.exe"" WMI - getEventLogWql: DESC: chk=4294967295, low=4294967294, hi=4294967295 (ad2.uheaa.ushe.local: Security)
10-05-2012 17:03:40.116 -0600 DEBUG ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-wmi.exe"" WMI - Event log wql "SELECT Category, CategoryString, ComputerName, EventCode, EventIdentifier, EventType, Logfile, Message, RecordNumber, SourceName, TimeGenerated, TimeWritten, Type, User FROM Win32_NTLogEvent WHERE Logfile = "Security" AND RecordNumber > 4294967294" (ad2.uheaa.ushe.local: Security)
The problem is the current record number is 13902929. With the query looking for a number greater than 4294967294, it would never pick up the information.
It appears that once the RecordNumber for an event log event exceeds 4,294,967,296, WMI can no longer query using the RecordNumber as a numeric criteria.
It appears that the wmi class can only hold numbers up to 2^32 or 4,294,967,296 while the event log of Server 2008 R2 can hold a number of 2^64.
The question now becomes if it is possible to change the the record number to make it able to be picked up in the query and thusly bring the data into the indexer.
Yes, it can be done. Here is how.
Using the following link, first reset the wmi_checkpoint file for the server that isn't being logged. That allows a one time import of the events but will not give you continuous logging.
http://splunk-base.splunk.com/answers/12245/windows-server-with-corrupted-security-log
Based on the information in the link below, WMI would not be able to query these events unless we can reset the RecordNumber. So let's treat it as if the event log was corrupt.
Follow Microsoft's documentation to delete the security log and allow the system to recreate the log resetting the RecordNumber to 1. Then we can reset the wmi_checkpoint file again and logging should start working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After turning on debug logging on the ExecProcessor, we found the following:
10-05-2012 17:03:40.116 -0600 DEBUG ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-wmi.exe"" WMI - getEventLogWql: DESC: chk=4294967295, low=4294967294, hi=4294967295 (ad2.uheaa.ushe.local: Security)
10-05-2012 17:03:40.116 -0600 DEBUG ExecProcessor - message from ""C:\Program Files\Splunk\bin\splunk-wmi.exe"" WMI - Event log wql "SELECT Category, CategoryString, ComputerName, EventCode, EventIdentifier, EventType, Logfile, Message, RecordNumber, SourceName, TimeGenerated, TimeWritten, Type, User FROM Win32_NTLogEvent WHERE Logfile = "Security" AND RecordNumber > 4294967294" (ad2.uheaa.ushe.local: Security)
The problem is the current record number is 13902929. With the query looking for a number greater than 4294967294, it would never pick up the information.
It appears that once the RecordNumber for an event log event exceeds 4,294,967,296, WMI can no longer query using the RecordNumber as a numeric criteria.
It appears that the wmi class can only hold numbers up to 2^32 or 4,294,967,296 while the event log of Server 2008 R2 can hold a number of 2^64.
The question now becomes if it is possible to change the the record number to make it able to be picked up in the query and thusly bring the data into the indexer.
Yes, it can be done. Here is how.
Using the following link, first reset the wmi_checkpoint file for the server that isn't being logged. That allows a one time import of the events but will not give you continuous logging.
http://splunk-base.splunk.com/answers/12245/windows-server-with-corrupted-security-log
Based on the information in the link below, WMI would not be able to query these events unless we can reset the RecordNumber. So let's treat it as if the event log was corrupt.
Follow Microsoft's documentation to delete the security log and allow the system to recreate the log resetting the RecordNumber to 1. Then we can reset the wmi_checkpoint file again and logging should start working.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
