Solved: received event for unconfigured/disabled index=_au...

heterodyned · ‎03-10-2011

Currently, I have enabled splunk forwarder on a particular windows box with SSL encryption to the indexer. ( Although this may not be actually the source of the issue)

I am receiving events for unconfigured/disabled index='_audit' on the forwader for some reason. I did verify that all the indexes in the forwarder are enabled, and the same holds true for the receiver

Any idea what could be the source of the issue?

jbsplunk · ‎03-24-2011

This is a defect in 4.1.x, the message happens when you restart a LWF. I have been able to replicate the issue. It has been reported to support and is being investigated by engineering. This has been added to the known issues document, see SPL-37337:

http://www.splunk.com/base/Documentation/4.1.7/ReleaseNotes/Knownissues

View solution in original post

jbsplunk · ‎03-24-2011

This is a defect in 4.1.x, the message happens when you restart a LWF. I have been able to replicate the issue. It has been reported to support and is being investigated by engineering. This has been added to the known issues document, see SPL-37337:

http://www.splunk.com/base/Documentation/4.1.7/ReleaseNotes/Knownissues

heterodyned · ‎03-10-2011

I could fix this issue, the windows forwarder was actually configured as LightForwarder and was still operating in LightForwarder Mode, ( this was done by someone previously) and at the sametime I was using the SplunkWebUI for this particular server, which was causing these events.

Solution: I disabled splunk-light forwarder and enabled forwarder mode, the issue got resolved

received event for unconfigured/disabled index=_audit

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases