<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Windows Server with Corrupted Security Log in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Windows-Server-with-Corrupted-Security-Log/m-p/53695#M10367</link>
    <description>&lt;P&gt;I have a server that had a corrupted Security Log.&lt;/P&gt;

&lt;P&gt;In order to resolve that problem I backed up the security log and cleared it.&lt;/P&gt;

&lt;P&gt;Now new events are not showing up from that server's security log in splunk.
I did some checking of the _internal index and saw that the wmi query that is being used is checking for items where RecordNumber &amp;gt; 6918747.  When I cleared the event log, it reset the RecordNumber to 1 on the server, and since 6 million+ security items have not yet happened, the wmi query is gathering no information from that server.&lt;/P&gt;

&lt;P&gt;Is there a command I can run to reset this remembered checkpoint value?&lt;/P&gt;

&lt;P&gt;Thanks&lt;/P&gt;</description>
    <pubDate>Fri, 04 Mar 2011 05:48:42 GMT</pubDate>
    <dc:creator>taylorchase</dc:creator>
    <dc:date>2011-03-04T05:48:42Z</dc:date>
    <item>
      <title>Windows Server with Corrupted Security Log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Windows-Server-with-Corrupted-Security-Log/m-p/53695#M10367</link>
      <description>&lt;P&gt;I have a server that had a corrupted Security Log.&lt;/P&gt;

&lt;P&gt;In order to resolve that problem I backed up the security log and cleared it.&lt;/P&gt;

&lt;P&gt;Now new events are not showing up from that server's security log in splunk.
I did some checking of the _internal index and saw that the wmi query that is being used is checking for items where RecordNumber &amp;gt; 6918747.  When I cleared the event log, it reset the RecordNumber to 1 on the server, and since 6 million+ security items have not yet happened, the wmi query is gathering no information from that server.&lt;/P&gt;

&lt;P&gt;Is there a command I can run to reset this remembered checkpoint value?&lt;/P&gt;

&lt;P&gt;Thanks&lt;/P&gt;</description>
      <pubDate>Fri, 04 Mar 2011 05:48:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Windows-Server-with-Corrupted-Security-Log/m-p/53695#M10367</guid>
      <dc:creator>taylorchase</dc:creator>
      <dc:date>2011-03-04T05:48:42Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Server with Corrupted Security Log</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Windows-Server-with-Corrupted-Security-Log/m-p/53696#M10368</link>
      <description>&lt;P&gt;Hello Taylor,&lt;/P&gt;

&lt;P&gt;Splunk records it's current "position" when reading remote event logs in the %SPLUNK_HOME%\var\lib\splunk\persistentstorage\wmi_checkpoint file.&lt;/P&gt;

&lt;P&gt;This file is in SQLite format and keeps track of Splunk's position in the remote event log stream by using the events' RecordNumber.&lt;/P&gt;

&lt;P&gt;Here is what entries in the file look like when exported to CSV using an SQLite viewer :&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;&lt;/CODE&gt;&lt;PRE&gt;&lt;CODE&gt;
"primarykey","secondary1","secondary2","secondary3","value"
"\ruraljuror\root\cimv2|3cedb797","","","","D 6918747 6918746 6918747"
"\ruraljuror\root\cimv2|cc2f7ffa","","","","D 824 823 825 20080407195557.000000-240"
"\ruraljuror\root\cimv2|9a9cabe3","","","","D 172 171 172 20080408141453.000000-240"
"\ruraljuror\root\cimv2|3d8d2a65","","","","D 1853 1852 1853 20080408192617.000000-240"
"\ruraljuror\root\cimv2|16e0ea0e","","","","D 18624 18623 18625"
"\ruraljuror\root\cimv2|22c75216","","","","D 57280 57279 57280"
"\ruraljuror\root\cimv2|cee114bd","","","","D 67780 67779 67781"
&lt;/CODE&gt;&lt;/PRE&gt;&lt;/P&gt;

&lt;P&gt;Note that the event log channels are hashed by as the CRC32 checksum of the channel name.&lt;/P&gt;

&lt;P&gt;Example :&lt;/P&gt;

&lt;P&gt;Application -&amp;gt; 22C75216&lt;BR /&gt;
System -&amp;gt; CEE114BD&lt;BR /&gt;
Security -&amp;gt; 3CEDB797&lt;/P&gt;

&lt;P&gt;To look for a specific channel entry, just run the channel name through a CRC32 checksum generator such as &lt;A href="http://crc32-checksum.waraxe.us" rel="nofollow"&gt;http://crc32-checksum.waraxe.us&lt;/A&gt; and look for that entry in the database.&lt;/P&gt;

&lt;P&gt;As an example, let's say that we want to trigger the re-indexing of all event logs for channel "Security" from host "ruraljuror".&lt;/P&gt;

&lt;P&gt;Using an SQLite editor, we would simply drop the following row from the table :
&lt;CODE&gt;&lt;/CODE&gt;&lt;PRE&gt;&lt;CODE&gt;
"\ruraljuror\root\cimv2|3cedb797","","","","D 6918747 6918746 6918747"
&lt;/CODE&gt;&lt;/PRE&gt;&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;NOTE :&lt;/STRONG&gt; This change should be made when Splunk is stopped.&lt;/P&gt;

&lt;P&gt;With that entry removed, Splunk should re-index all "Security" event logs from host "ruraljuror" on it's next restart.&lt;/P&gt;</description>
      <pubDate>Wed, 16 Mar 2011 07:53:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Windows-Server-with-Corrupted-Security-Log/m-p/53696#M10368</guid>
      <dc:creator>hexx</dc:creator>
      <dc:date>2011-03-16T07:53:51Z</dc:date>
    </item>
  </channel>
</rss>

