- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: windows universal forwarder events not parsing...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
windows universal forwarder events not parsing on receiver
Hello,
Using Splunk 4.2 (96430) for both a Universal Forwarder and a regular/receiver installation, on Windows Server 2003 R2, both systems same version, service pack, etc. Forwarder is successfully sending to receiver, correctly monitoring selected log files. We want to monitor the Windows Event Log for DNS services, and it is correctly sending that data; however, at the receiver, it is not parsing the DNS Server messages, stating:
"Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt."
DNS Server is also installed on the receiving system, and monitoring the DNS Server event log properly parses the local DNS events. All other fields (except hostname and record number) are identical, so it recognizes that these are DNS events.
How would one make the received (forwarded) DNS events parse to get the proper Message description just like the local DNS events? Both system have DNS server, same windows ver, etc. It seems even though Splunk is receiving the events properly, it won't parse the forwarded events.
Thanks-
J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the meantime, using another tool as a sender to the syslog "stream" also works. MS has a tool called LogParser which can be scripted and scheduled to read event logs and output to syslog, and the Snare Agent for Windows can also understand the event logs properly. The receiver/indexer accepts both of these just fine with proper event messages and descriptions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this is related to this bug:
The Message field is not extracted and is therefore missing from imported Windows event log file (.evt) data. (SPL-24947) (the list of known issues are located here.
From what I understand that this is a troublesome bug which resides mostly on Microsoft's side.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk extracts the message field properly for the local event log. What part of splunk is doing that, and where could the input from the forwarder be directed to do that same lookup? If it's reading it from a DLL or other event code table, there could be a way to process the forwarded events in the same fashion.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
