I recently deployed 4.3.2 Universal Forwarders to Windows Server 2008 R2 DCs. Since then, Splunk has been picking up an a lot of WinEventLog:Security events, which would be great, but Splunk is failing to parse the "Message" field in the events. Instead we see data like so:
"Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt."
"FormatMessage error: the message resource is present but the message is not found in the string/message table"
The corresponding events render correctly on the Server 2008 R2 systems, when viewed in Event Viewer.
Advice appreciated. Am I out of luck with the 4.3.2 Universal Forwarder? Will a heavyweight forwarder fix the problem?
(The indexer is running 4.3.2 too, if it helps).
Thanks for the tip. Upgrading to 5.0.1, across the board, fixed the issue.