Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Error reading security event log messages on Windows 2008 Core Server

Jeremiah
Motivator
‎01-25-2011 06:58 PM

I have 4 Windows domain controllers running the Splunk light forwarder (version 4.1.6). I'm forwarding the local security event log from all 4 of them. 2 of the 4 are running Windows 2008 Core Server. When I look at events coming from these 2 servers, the message portion of the event contains this error:

Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt.

FormatMessage error: The parameter is incorrect.

Anyone experience a similar problem? Or have you been successful in reading event viewer logs with Splunk on win2k8 core?

0 Karma
Reply

lmyrefelt
Builder
‎02-11-2013 06:46 AM

One of my customers have been experiencing this problem as well.
From what we can see / have found out it, it seems related to windows rm (remote-management) and the format windows writes it eventlogs in. Try to change the the format of the eventlogs written and i think it should solved.

To list event logs subscriptions ;

wecutil es < list existing subsc.
wecutil gs < get subscription info
wecutil ss /cf:events < changing from the format from rendered text to events.

Try it out! - Hope it can help someone
( i have seen this issue in many threads and i have also seen somehow that people blaming splunk for it, but it seems to be a Windows-side error ) 😉

0 Karma
Reply

mship
Path Finder
‎07-10-2012 12:29 PM

Splunk doesn't go to the .dll to get this info...the windows event viewer does. Look at your windows event logs locally and I will bet you are getting the same message. If it is your security log you are probably missing the msaudite.dll file under system32 folder along with security subkey under the hklmsystemcurrentcontrolsetserviceseventlogsecurity.
If it is in the app or system event log you are missing the registry hives for those events. You can just copy them over from a working machine.

Reply

malmoore
Splunk Employee
Splunk Employee
‎02-10-2011 02:08 AM

What are the event code(s) associated with these events (or is it occuring for all events)?

I just tested this right now with a brand new Win2k8 Standard Core install, without any problems.

How long have these systems been up? Have they had patches applied? This reeks of a corrupt DLL somewhere, in particular MSObjs.dll, MSauditE.dll, and NTMarta.dll.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

  Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...

Index This | How do you write 23 only using the number 2?

July 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...
Top