Splunk stopped collectiing Windows Event logs of R...

quipment · ‎02-04-2013

Hi,

We have Windows 2008 R2 SP1 with splunk 5 installed in Domain network.

We have configured to collect windows "System" event log .

But it suddenly stops collecting windows events when the remote system rebooted. and we cannt get events until the "splunkd" service restarted from the server.

After restarting "splunkd" the server starts get collectiong events. but again stops as soon as the remote server or client rebooted.

The firewall is turned off at both ends.

Thanks ,
Prakash

quipment · ‎02-14-2013

Hi,

Enabled debug logging level for wmi from link and found out wmi will retry after 5000 seconds Ref : http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/TroubleshootingWMI#Splunk_can.27t... .

and by editiing wmi.conf from C:\Program Files\Splunk\etc\system\local and setting time out values

Thanks
Prakash

yannK · ‎02-04-2013

make sure that you configured splunk service to start at boot .....

sdaniels · ‎02-04-2013

It may be helpful to share any errors that you are seeing in the splunkd logs.

http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself

I would recommend using the Splunk on Splunk App in the future which will help you search across all Splunk logs when you have an issue like this.

Splunk stopped collectiing Windows Event logs of Remote

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life