Hello,
We have the Splunk windows app setup to monitor the system eventlogs on our citrix server and it appears to be pulling in the wrong information for task category. Below is an example of the event in splunk and the actual event on the server where the TaskCategories do not match up. Any ideas on where it would be setting this incorrectly?
Thanks!
Would like to follow up on this thread to see if there is any resolution. In my case the value of Task Category was changed from 2001 to be 2%. The problem is sporadic.
Go to the server that generated the log and from the Event Viewer >> System log screen and select the log entry in question. Select the Details Tab and then select the XML radio button. Scroll down to the
Now, select Filter Current Log from the right. In the Filter window select Terminal Services Licensing from the Event Sources dropdown menu. This should enable the Task Category dropdown. From the Task Category dropdown select “The Remote Desktop Licensing service has started” (if it’s there), and select OK to run the filter. See if the log entry in question is included in the filter.
If the Task Category is not there, then the question is where is Splunk getting it from.
If the Task Category is there and the log entry is included in the filtered set, then Windows is not populating the Task Category field correctly.
If the Task Category is there and the log entry is not included in the filtered set, then the question is why is Splunk replacing None with this Category.
Another thing you can try is to export the _raw data for that log entry. The _raw data should be what is interpreted by Windows and sent to Splunk, so if the _raw data is wrong, then it is a Windows problem.
Lastly, do you see this in any other Event Code/ID? I do not have this particular code, so I can't investigate it directly.
The string that is getting set is coming from the “windows_event_details.csv” file. You can find this file in the /windows/lookups/ folder.
This file is going to be associated with a Lookup.
You can find the name this way:
Go to Manager > Lookups > Lookup Definitions, and select Windows from the dropdown menu. Open each one and see which one is referencing the windows_event_details.csv file. That is the one you want to disable.
Be aware that any searches that depend on that Lookup will throw an alert that they cannot find that Lookup.
Re-enable the DNS Lookup.
I took a look on the SH and didnt notice any lookups but did find some on the indexer where the data is coming from. I disabled the DNS lookup but it did not seem to resolve the lookup issue. Would the lookup be on the SH or what else should i look into?
That's your problem. It's actually a quite glorious if you think about it.
I think what you have is a self populating lookup table. I've seen this before with AD/DNS monitoring where it learns the relationship between IPs and ComputerNames.
You can disable the lookup, or learn to live with the output, which is to some extent at least, that is valid for this Event ID.
We are on 5.0.1 and here is the output. If you want me to modify the grep please let me know:
grep -i 'License' windows_*
windows_event_details.csv:System,21,"Microsoft-Windows-TerminalServices-Licensing","The Remote Desktop Licensing service has started.",Warning,"The Remote Desktop license server """" does not have any remaining permanent licenses of the type ""Windows Server 2008 or Windows Server 2008 R2 : Per Device CAL (TS or RDS)"""
windows_event_details.csv:System,38,"Microsoft-Windows-TerminalServices-Licensing","The Remote Desktop Licensing service has started.",Error,"The Remote D
What version?
Also, search /etc/apps/windows/lookups/*files for "The Remote Desktop License service has started".
We just have the Splunk windows app running on the indexers and search heads.
FYI, that means that there are no Task Categories associated with that source. Splunk has to be getting it from somewhere. My guess is an automated url lookup for Event ID descriptions that populates the field prior to indexing or searching.
What Windows related Apps are you running on your Indexer?
When I enter TerminalServices-Licensing to Event Sources it wont even allow me to select a Task Category.
How about the Task Category filter? Is “The Remote Desktop Licensing service has started” listed when you select "Terminal Services-Licensing" as the source? And if so, does it catch the event in question?
Thanks for your response! It looks like it is just showing "none" in all the event logs and 0 in the xml so it looks like the issue is where Splunk is getting the task category "The Remote Desktop License service has started". Even when I do a raw export it still shows the message instead of none. I installed the UF to collect these logs so I doubt that is the issue instead of installing the Windows TA. Thoughts on where to go next?