Getting Data In

ERROR ExecProcessor - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::processLogChannel: Failed to checkpoint for channel='security'

Splunk Employee
Splunk Employee

On some of the instance of splunk after following error message after upgrading to 6.0.3 from 6.0.1

04-16-2014 00:02:30.073 +0000 ERROR ExecProcessor - message from ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::processLogChannel: Failed to checkpoint for channel='security'
{noformat}

issue can also be duplicated on Splunk version 6.0.2, this only happens on some machines.

I have WinEventLog:Security input which I believe is causing the issue. I have removed this input and the errors stop, if I add it back, they start once more. The input has the following settings:
{noformat}
[WinEventLog:Security]
disabled = 0
startfrom = oldest
current
only = 0
evtresolvead_obj = 1
checkpointInterval = 5
blacklist = 5156,5158,5157,5152,4769,4768,4776
index=security

I have removed the blacklist section of this input and the errors stop occurring. This suggest a potential issue with my blacklist, but this error was not present in 6.0.1 with the same config/server. I have not observed any instances where the blacklisted EventCodes appear in my splunk logging, so I have found no impact to this problem...only the repeated error within the splunkd.log.

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

This behavior has been confirmed as BUG# SPL-83520:WinEventMon::processLogChannel: Failed to checkpoint for channel='security', and expected to be fixed in Splunk release 6.0.6

This message is annoyance and doesn't have any other negative impact.

View solution in original post

Splunk Employee
Splunk Employee

This behavior has been confirmed as BUG# SPL-83520:WinEventMon::processLogChannel: Failed to checkpoint for channel='security', and expected to be fixed in Splunk release 6.0.6

This message is annoyance and doesn't have any other negative impact.

View solution in original post

Splunk Employee
Splunk Employee

Currently targeted for 6.0.6 , corrected my last post.

0 Karma

New Member

Did you mean fixed in 6.0.5?

0 Karma