Getting Data In
Highlighted

Error reading security event log messages on Windows 2008 Core Server

Motivator

I have 4 Windows domain controllers running the Splunk light forwarder (version 4.1.6). I'm forwarding the local security event log from all 4 of them. 2 of the 4 are running Windows 2008 Core Server. When I look at events coming from these 2 servers, the message portion of the event contains this error:

Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt.

FormatMessage error: The parameter is incorrect.

Anyone experience a similar problem? Or have you been successful in reading event viewer logs with Splunk on win2k8 core?

0 Karma
Highlighted

Re: Error reading security event log messages on Windows 2008 Core Server

Splunk Employee
Splunk Employee

What are the event code(s) associated with these events (or is it occuring for all events)?

I just tested this right now with a brand new Win2k8 Standard Core install, without any problems.

How long have these systems been up? Have they had patches applied? This reeks of a corrupt DLL somewhere, in particular MSObjs.dll, MSauditE.dll, and NTMarta.dll.

0 Karma
Highlighted

Re: Error reading security event log messages on Windows 2008 Core Server

Path Finder

Splunk doesn't go to the .dll to get this info...the windows event viewer does. Look at your windows event logs locally and I will bet you are getting the same message. If it is your security log you are probably missing the msaudite.dll file under system32 folder along with security subkey under the hklmsystemcurrentcontrolsetserviceseventlogsecurity.
If it is in the app or system event log you are missing the registry hives for those events. You can just copy them over from a working machine.

Highlighted

Re: Error reading security event log messages on Windows 2008 Core Server

Builder

One of my customers have been experiencing this problem as well.
From what we can see / have found out it, it seems related to windows rm (remote-management) and the format windows writes it eventlogs in. Try to change the the format of the eventlogs written and i think it should solved.

To list event logs subscriptions ;

wecutil es < list existing subsc.
wecutil gs < get subscription info
wecutil ss /cf:events < changing from the format from rendered text to events.

Try it out! - Hope it can help someone
( i have seen this issue in many threads and i have also seen somehow that people blaming splunk for it, but it seems to be a Windows-side error ) 😉

0 Karma