topic Re: ERROR WinEventLogChannel - initOld: Failed to initialize checkpoint for Windows Event Log channel 'Security' Host is no longer forwarding WinEventLog:Security to the Linux indexer. in Getting Data In https://community.splunk.com/t5/Getting-Data-In/ERROR-WinEventLogChannel-initOld-Failed-to-initialize-checkpoint/m-p/41843#M7783 <P>This is a known defect, SPL-31339: WinEventLog:Security logs stop getting indexed and Splunkd.log displays the following errors:</P> <P>ERROR WinEventLogChannel - initOld: Failed to initialize checkpoint for Windows Event Log channel 'Security' ERROR WinEventLogInputProcessor - main-thread: Failed to initialize Windows Event Log 'Security'</P> <P>This is likely due the Windows host not shutting down properly and the %SPLUNK_HOME%\var\lib\splunk\persistentstorage\WinEventLog\Security_checkpoint file is empty (size =1KB)</P> <P>The workaround is to shutdown Splunk on the Windows host, remove the file and restart Splunk to create a new Security_checkpoint file. This will allow the security logs to start indexing again.</P> <P>This defect is fixed in 4.1.4 (see <A href="http://www.splunk.com/base/Documentation/latest/ReleaseNotes/4.1.4" rel="nofollow">http://www.splunk.com/base/Documentation/latest/ReleaseNotes/4.1.4</A>) For 4.0.x, the fix is not currently planned and the workaround should be implemented.</P> Thu, 02 Sep 2010 03:02:02 GMT Ellen 2010-09-02T03:02:02Z ERROR WinEventLogChannel - initOld: Failed to initialize checkpoint for Windows Event Log channel 'Security' Host is no longer forwarding WinEventLog:Security to the Linux indexer. https://community.splunk.com/t5/Getting-Data-In/ERROR-WinEventLogChannel-initOld-Failed-to-initialize-checkpoint/m-p/41842#M7782 <P>All of a sudden my 4.0.9 Splunk server is no longer forwarding the WinEventLog:Security logs onto my 4.1.4 Linux indexer. This was working fine and I can see the communication is established between the 2 systems. What's at issue?</P> Thu, 02 Sep 2010 03:01:33 GMT https://community.splunk.com/t5/Getting-Data-In/ERROR-WinEventLogChannel-initOld-Failed-to-initialize-checkpoint/m-p/41842#M7782 Ellen 2010-09-02T03:01:33Z Re: ERROR WinEventLogChannel - initOld: Failed to initialize checkpoint for Windows Event Log channel 'Security' Host is no longer forwarding WinEventLog:Security to the Linux indexer. https://community.splunk.com/t5/Getting-Data-In/ERROR-WinEventLogChannel-initOld-Failed-to-initialize-checkpoint/m-p/41843#M7783 <P>This is a known defect, SPL-31339: WinEventLog:Security logs stop getting indexed and Splunkd.log displays the following errors:</P> <P>ERROR WinEventLogChannel - initOld: Failed to initialize checkpoint for Windows Event Log channel 'Security' ERROR WinEventLogInputProcessor - main-thread: Failed to initialize Windows Event Log 'Security'</P> <P>This is likely due the Windows host not shutting down properly and the %SPLUNK_HOME%\var\lib\splunk\persistentstorage\WinEventLog\Security_checkpoint file is empty (size =1KB)</P> <P>The workaround is to shutdown Splunk on the Windows host, remove the file and restart Splunk to create a new Security_checkpoint file. This will allow the security logs to start indexing again.</P> <P>This defect is fixed in 4.1.4 (see <A href="http://www.splunk.com/base/Documentation/latest/ReleaseNotes/4.1.4" rel="nofollow">http://www.splunk.com/base/Documentation/latest/ReleaseNotes/4.1.4</A>) For 4.0.x, the fix is not currently planned and the workaround should be implemented.</P> Thu, 02 Sep 2010 03:02:02 GMT https://community.splunk.com/t5/Getting-Data-In/ERROR-WinEventLogChannel-initOld-Failed-to-initialize-checkpoint/m-p/41843#M7783 Ellen 2010-09-02T03:02:02Z