On some of the instance of splunk after following error message after upgrading to 6.0.3 from 6.0.1
04-16-2014 00:02:30.073 +0000 ERROR ExecProcessor - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::processLogChannel: Failed to checkpoint for channel='security'
{noformat}
issue can also be duplicated on Splunk version 6.0.2, this only happens on some machines.
I have WinEventLog:Security input which I believe is causing the issue. I have removed this input and the errors stop, if I add it back, they start once more. The input has the following settings:
{noformat}
[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = 5156,5158,5157,5152,4769,4768,4776
index=security
I have removed the blacklist section of this input and the errors stop occurring. This suggest a potential issue with my blacklist, but this error was not present in 6.0.1 with the same config/server. I have not observed any instances where the blacklisted EventCodes appear in my splunk logging, so I have found no impact to this problem...only the repeated error within the splunkd.log.
This behavior has been confirmed as BUG# SPL-83520:WinEventMon::processLogChannel: Failed to checkpoint for channel='security', and expected to be fixed in Splunk release 6.0.6
This message is annoyance and doesn't have any other negative impact.
This behavior has been confirmed as BUG# SPL-83520:WinEventMon::processLogChannel: Failed to checkpoint for channel='security', and expected to be fixed in Splunk release 6.0.6
This message is annoyance and doesn't have any other negative impact.
Currently targeted for 6.0.6 , corrected my last post.
Did you mean fixed in 6.0.5?