Hi All, having an issue with splunk winhostinfo input. All works fine and then randomly the following errors kick in: ERROR ExecProcessor - Couldn't start command ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe"": Access is denied. After the error, it will not even try it again, like it is locked for good. Running 6.6.4 UF. Any idea? Even if it fails, I would expect it to retry on the next scheduled time. Now the only solution is to restart UF.
I assume you've already checked things like Antivirus & Firewalling?
Reading elsewhere it would seem the newer versions (6.6.7+ of the UF) have a fix to restart the winhostmon.exe
based input after such a failure, so your solution would likely be to upgrade your UFs.
I have not seen anywhere documented about 6.6.7+, at least in fixed issues it does not exist. I read somewhere that people had issues with version 5.x. Do you have source of where you found this?
This is mentioned by a colleague here:
https://answers.splunk.com/answers/716685/splunk-universal-forwarder-suddenly-stop-receiving.html
I've also checked internally, and this issue was reported as SPL-155042
and might have had to do with Symantec Endpoint protection blocking the process. If you use that, it might be worth disabling it via a rule to whitelist the UF input executables. It was confirmed that upgrading to the versions listed below fixed the issue.
The fix to restart the various Windows inputs on a UF was SPL-144368
, included in versions 6.5.8+, 6.6.7+. That should also be in any 7.x versions.