Getting Data In

Change Windows Event Log Format

AaronMoorcroft
Communicator

Hi guys

Please see below for an example of the event log I'm referring to.

In a nut shell we send some logs off to a 3rd party but there telling us that they are having issues reading them from Splunk, I have looked into this and Splunk is sending the events from Windows without issue however the description has an error, after reading up a little there are a few posts on here but I dont see an answer that has resolved this as yet, from what I have read it looks like we may need to try and change the way that Windows writes the eventlog. Im not even sure if we can do this but I was hoping that someone out there may have had this before and resolved the issue

<13> XXXXXXXXXX 03/08/2013 02:50:49 PM
Log Name=Security
SourceName=Microsoft-Windows-Security-Auditing
EventCode=4776
EventType=0
ComputerName=XXXXXXXXXXXXX
TaskCategory=None
OpCode=None
RecordNumber=6063330
Keywords=None
Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt.
FormatMessage error: The handle is invalid.
Got the following information from this event:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
XXXXXXXXXXXXX
XXXXXXXXXXXXX

any help would be much appreciated

Tags (1)
1 Solution

kristian_kolb
Ultra Champion

This was a known bug i v 4.3.2 i believe - from the release notes for that version:

•Reading of the Message field for Windows Event Log data will frequently fail, showing a message such as "Splunk could not get the description for this event." instead of the correct message text. As a temporary workaround, continue using 4.3.1 or earlier on Windows forwarders when gathering this data. (SPL-51312) 

This was fixed in 4.3.3. However, if I remember correctly, there was a memory leak in the Windows Universal Forwarder v 4.3.3, so get a newer version than that.

http://docs.splunk.com/Documentation/Splunk/4.3.3/ReleaseNotes/4.3.3

OR

it could also be that you are trying to read the .evt files directly, which really can't be done, since they are nor regular text log files. Thus if you copy the .evt files to another location, you will not get the complete event.

See the following for more info

http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/WhatSplunkcanmonitor#Windows_sources

Hope this helps.

/Kristian

View solution in original post

0 Karma

kristian_kolb
Ultra Champion

This was a known bug i v 4.3.2 i believe - from the release notes for that version:

•Reading of the Message field for Windows Event Log data will frequently fail, showing a message such as "Splunk could not get the description for this event." instead of the correct message text. As a temporary workaround, continue using 4.3.1 or earlier on Windows forwarders when gathering this data. (SPL-51312) 

This was fixed in 4.3.3. However, if I remember correctly, there was a memory leak in the Windows Universal Forwarder v 4.3.3, so get a newer version than that.

http://docs.splunk.com/Documentation/Splunk/4.3.3/ReleaseNotes/4.3.3

OR

it could also be that you are trying to read the .evt files directly, which really can't be done, since they are nor regular text log files. Thus if you copy the .evt files to another location, you will not get the complete event.

See the following for more info

http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/WhatSplunkcanmonitor#Windows_sources

Hope this helps.

/Kristian

0 Karma

jrodman
Splunk Employee
Splunk Employee

I agree with Kristian about the likely 4.3.2 cause. That's 4.3.2 where the data is being tailed, not any later point in the chain.

As a minor correction, we do support tailing .evt/.evtx files, but only on windows (because we ask the microsoft subsystem to process them). But there are a variety of dragons here due to the design of Windows Event Log. Primarily reading evt files on systems other than the producing one can lack the backing data from the DLLs in which we're supposed to lookup these strings and produce this same symptom.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...