https://community.splunk.com/t5/Splunk-Search/How-to-resolve-high-increase-in-forwarders-reporting-errors/m-p/438869#M124892 <P>Getting the same ERROR messages randomly on Windows 2016 servers with forwarders on 7.3.3.</P> Thu, 16 Apr 2020 08:52:21 GMT splunk68 2020-04-16T08:52:21Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-high-increase-in-forwarders-reporting-errors/m-p/438868#M124891 <P>We discovered that in early April, around the 7th, we had a HUGE increase in forwarders reporting this error:</P> <PRE><CODE>ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::init: Failed to checkpoint for channel='security' </CODE></PRE> <UL> <LI>It's showing up on Windows 7, Windows 10, Server 2012, Server 2016 machines</LI> <LI>Most of our forwarders are <STRONG>7.1.2</STRONG> but we have a few older versions out there.</LI> <LI>Most of the hosts I've found with this error are Windows 10</LI> <LI>No consistency in terms of OS or Forwarder versions where this error is showing up</LI> </UL> <P>Also, come to find out, this appears to correlate with events being missed from the Windows Event Security Logs and not being forwarded properly.</P> <P>The ONLY thing that happened around when this seemed to spread like wildfire was Windows patches were deployed in our environment.</P> <P>Has anyone else seen this issue?</P> <P>The search we run to identify them is this if anyone wants to take a look to see if they have the errors as well:</P> <PRE><CODE>index=_internal sourcetype=splunkd AND ERROR AND Security AND "Failed to checkpoint" AND log_level=ERROR | stats count by host </CODE></PRE> <P>We have a case open with Splunk, but the suggested fixes do not seem to be resolving the errors.</P> Mon, 08 Jun 2020 17:59:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-high-increase-in-forwarders-reporting-errors/m-p/438868#M124891 jcleary47 2020-06-08T17:59:25Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-high-increase-in-forwarders-reporting-errors/m-p/438869#M124892 <P>Getting the same ERROR messages randomly on Windows 2016 servers with forwarders on 7.3.3.</P> Thu, 16 Apr 2020 08:52:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-high-increase-in-forwarders-reporting-errors/m-p/438869#M124892 splunk68 2020-04-16T08:52:21Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-high-increase-in-forwarders-reporting-errors/m-p/438870#M124893 <P>No update?</P> Wed, 03 Jun 2020 18:04:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-high-increase-in-forwarders-reporting-errors/m-p/438870#M124893 morethanyell 2020-06-03T18:04:42Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-high-increase-in-forwarders-reporting-errors/m-p/526521#M148602 <P>I am having the same issue repeatedly in our Win'16 environment. Anyone found the cure yet?</P> Mon, 26 Oct 2020 19:19:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-high-increase-in-forwarders-reporting-errors/m-p/526521#M148602 vanvan 2020-10-26T19:19:51Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-high-increase-in-forwarders-reporting-errors/m-p/528759#M149283 <P>converting UF to use service account seems to have fixed it for me. So if that's not possible at least you know that its a permissions issue with localsystem.</P> Mon, 09 Nov 2020 23:59:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-high-increase-in-forwarders-reporting-errors/m-p/528759#M149283 CarsonZa 2020-11-09T23:59:21Z