topic Re: Failed to find Windows Event Log in Splunk Search

Failed to find Windows Event Log

g_paternicola — Fri, 03 Dec 2021 13:56:07 GMT

Hello

I'm trying to injest event from this Microsoft event viewer:

[WinEventLog://Microsoft-Windows-TerminalServices-ClientActiveXCore/Microsoft-Windows-TerminalServices-RDPClient/Operational] disabled = 0 renderXml = 1 sourcetype = XmlWinEventLog index = ad

My issue is, that the name of the event log the whole path is and not just "Operational" like the others.

Because of that I will get an error in Splunk:

ERROR ExecProcessor [5076 ExecProcessor] - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::configure: Failed to find Event Log with channel name='Microsoft-Windows-TerminalServices-ClientActiveXCore/Microsoft-Windows-TerminalServices-RDPClient/Operational'

Is there a way to escape the "/" before Operational?

Thank you very much in advice.

Re: Failed to find Windows Event Log

richgalloway — Fri, 03 Dec 2021 16:55:26 GMT

The escape character is '\'.

Re: Failed to find Windows Event Log

g_paternicola — Fri, 03 Dec 2021 16:57:24 GMT

Already tried, but it didn't work.. 😞

Re: Failed to find Windows Event Log

g_paternicola — Mon, 20 Dec 2021 07:38:58 GMT

Is there anyone else that can help me, please?

Re: Failed to find Windows Event Log

PickleRick — Mon, 20 Dec 2021 08:13:30 GMT

You need this value as channel name

Re: Failed to find Windows Event Log

g_paternicola — Mon, 20 Dec 2021 08:17:14 GMT

I already have this in my stanza:

[WinEventLog://Microsoft-Windows-TerminalServices-ClientActiveXCore/Microsoft-Windows-TerminalServices-RDPClient/Operational] disabled = 0 renderXml = 1 sourcetype = XmlWinEventLog index = ad whitelist3=1024

But I always going to get this error, even if I put the '\' escape before "Operational" or after

12-20-2021 09:08:21.416 +0100 ERROR ExecProcessor [21652 ExecProcessor] - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::configure: Failed to find Event Log with channel name='Microsoft-Windows-TerminalServices-ClientActiveXCore/Microsoft-Windows-TerminalServices-RDPClient/Operational'

Re: Failed to find Windows Event Log

PickleRick — Mon, 20 Dec 2021 08:19:43 GMT

Yes, your stanza name is too long. Loose the first part.

You can verify it with powershell

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1

Check with what -LogName value you'll get results. It's way easier than blindly (re)configuring splunk inputs/

Re: Failed to find Windows Event Log

g_paternicola — Mon, 20 Dec 2021 08:47:46 GMT

this command was my solution:

Get-WinEvent -FilterHashTable @{ LogName = "Microsoft-Windows-TerminalServices-RDPClient/Operational"; ID = 1024 }

There is no "TerminalServices-ClientActiveXCore" in the PowerShell results. This also why Splunk told me all the time "failed to find ...." Thank you!