https://community.splunk.com/t5/Getting-Data-In/Some-Local-Windows-Eventlogs-not-being-indexed/m-p/17926#M2398 <P>I am trying to index the local windows eventlogs, but there appears to be an issue reading the "Security" eventlog, and is then no longer indexing all the logs ongoing. On restart of splunk the logs are being processed alphabetically, with a Processing event then a Finished event. It appears the Security log gets a Processing event, but not a Finished event.</P> <P>I have cleared the Security Log (and other logs aswell), but the issue persists.</P> <P>Has anyone else seen this issue?</P> <P>\var\log\splunk\splunkd.log - Splunk 4.3.2 on Windows</P> <P><STRONG>10-31-2012 12:19:20.240 +1100 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Security'</STRONG></P> <P>10-31-2012 12:18:59.194 +1100 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Internet Explorer': total_events='0' with empty_msg='0'.</P> <P>10-31-2012 12:18:59.194 +1100 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Internet Explorer'</P> <P>10-31-2012 12:18:59.194 +1100 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'HardwareEvents': total_events='0' with empty_msg='0'.</P> <P>10-31-2012 12:18:59.194 +1100 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'HardwareEvents'</P> <P>10-31-2012 12:18:59.194 +1100 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'ForwardedEvents': total_events='249' with empty_msg='0'.</P> <P>10-31-2012 12:18:58.367 +1100 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'ForwardedEvents'</P> <P>10-31-2012 12:18:58.367 +1100 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Application': total_events='0' with empty_msg='0'.</P> <P>10-31-2012 12:18:58.367 +1100 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Application'</P> Mon, 28 Sep 2020 12:42:59 GMT marcpatron 2020-09-28T12:42:59Z https://community.splunk.com/t5/Getting-Data-In/Some-Local-Windows-Eventlogs-not-being-indexed/m-p/17926#M2398 <P>I am trying to index the local windows eventlogs, but there appears to be an issue reading the "Security" eventlog, and is then no longer indexing all the logs ongoing. On restart of splunk the logs are being processed alphabetically, with a Processing event then a Finished event. It appears the Security log gets a Processing event, but not a Finished event.</P> <P>I have cleared the Security Log (and other logs aswell), but the issue persists.</P> <P>Has anyone else seen this issue?</P> <P>\var\log\splunk\splunkd.log - Splunk 4.3.2 on Windows</P> <P><STRONG>10-31-2012 12:19:20.240 +1100 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Security'</STRONG></P> <P>10-31-2012 12:18:59.194 +1100 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Internet Explorer': total_events='0' with empty_msg='0'.</P> <P>10-31-2012 12:18:59.194 +1100 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Internet Explorer'</P> <P>10-31-2012 12:18:59.194 +1100 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'HardwareEvents': total_events='0' with empty_msg='0'.</P> <P>10-31-2012 12:18:59.194 +1100 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'HardwareEvents'</P> <P>10-31-2012 12:18:59.194 +1100 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'ForwardedEvents': total_events='249' with empty_msg='0'.</P> <P>10-31-2012 12:18:58.367 +1100 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'ForwardedEvents'</P> <P>10-31-2012 12:18:58.367 +1100 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Application': total_events='0' with empty_msg='0'.</P> <P>10-31-2012 12:18:58.367 +1100 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Application'</P> Mon, 28 Sep 2020 12:42:59 GMT https://community.splunk.com/t5/Getting-Data-In/Some-Local-Windows-Eventlogs-not-being-indexed/m-p/17926#M2398 marcpatron 2020-09-28T12:42:59Z https://community.splunk.com/t5/Getting-Data-In/Some-Local-Windows-Eventlogs-not-being-indexed/m-p/17927#M2399 <P>can you please clarify your scenario? Are you indexing evtx logs by pointing Splunk to the directory?</P> Wed, 31 Oct 2012 03:59:35 GMT https://community.splunk.com/t5/Getting-Data-In/Some-Local-Windows-Eventlogs-not-being-indexed/m-p/17927#M2399 rovechkin_splun 2012-10-31T03:59:35Z https://community.splunk.com/t5/Getting-Data-In/Some-Local-Windows-Eventlogs-not-being-indexed/m-p/17928#M2400 <P>I am indexing using Local Event Log collection, configured in the Windows App, not via monitoring the .evtx files. The server is Win2008.</P> Wed, 31 Oct 2012 04:06:11 GMT https://community.splunk.com/t5/Getting-Data-In/Some-Local-Windows-Eventlogs-not-being-indexed/m-p/17928#M2400 marcpatron 2012-10-31T04:06:11Z https://community.splunk.com/t5/Getting-Data-In/Some-Local-Windows-Eventlogs-not-being-indexed/m-p/17929#M2401 <P>The problem has been solved.</P> <P>At the same time of a bunch of other changes, some firewall rules were put in place around the Splunk server. The WinEventLog:Security input by default looks up AD to resolve SID's in events (evt_resolve_ad_obj = 1). This uses RPC ports to communicate to the AD servers. I have disabled this setting (evt_resolve_ad_obj = 0) and all event logs are now being indexed once again. There appears to be no issue with resolved usernames in the eventlogs.</P> <P>I discovered this in the splunkd.log with DEBUG turned on for WinEventLog*. Initially the following entries appear just as the Security log was begining to be processed:</P> <P>WinEventLogChannel - EvtDC::bind: Found DC='\SERVER1.xyz.loc', DCsite='XYZ', ClientSite = 'XYZ', Domain='xyz.loc'<BR /> WinEventLogChannel - connectToDC: DsBind failed: (1722)'The operation completed successfully.'<BR /> WinEventLogChannel - init: Failed to bind to DC, dc_bind_time=21140 msec</P> <P>Then every 21 seconds:</P> <P>WinEventLogChannel - connectToDC: DsBind failed: (1722)'The operation completed successfully.'<BR /> WinEventLogChannel - WinEventLogChannel::translateSidLocally Translating sids locally...</P> <P>I assume that the events were being indexed, just very slowly, so that it would appear to never finish indexing the security log and move onto other logs.</P> <P>I have reviewed the firewall rules and need to allow the blocked RPC port (tcp/1026).</P> Mon, 28 Sep 2020 12:50:52 GMT https://community.splunk.com/t5/Getting-Data-In/Some-Local-Windows-Eventlogs-not-being-indexed/m-p/17929#M2401 marcpatron 2020-09-28T12:50:52Z https://community.splunk.com/t5/Getting-Data-In/Some-Local-Windows-Eventlogs-not-being-indexed/m-p/17930#M2402 <P>Also see this Answers thread:</P> <P><A href="http://splunk-base.splunk.com/answers/75970/forwarder-shows-extreme-lag-or-latency-when-sending-windows-security-eventlog-data">http://splunk-base.splunk.com/answers/75970/forwarder-shows-extreme-lag-or-latency-when-sending-windows-security-eventlog-data</A></P> Wed, 13 Mar 2013 17:47:56 GMT https://community.splunk.com/t5/Getting-Data-In/Some-Local-Windows-Eventlogs-not-being-indexed/m-p/17930#M2402 splunkIT 2013-03-13T17:47:56Z