Getting Data In

Events indexed from EVT (Windows Event Log) files show the following error in the value of the "Message" field : "Splunk could not get the description for this event (...)"

hexx
Splunk Employee
Splunk Employee

I am using a Windows 2003 indexer to read Windows Event Log (EVT) files gathered from several other servers.

The events are indexed but the "Message" field for the events contains the following error :


Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt.

The contents of the "Message" field are then indexed but not as key/value pairs, which prevents Splunk's automatic field extractions from working.

How can I prevent this problem from happening?

1 Solution

hexx
Splunk Employee
Splunk Employee

This is in all likelihood a known issue with the Windows event log reader API that Splunk calls to convert the contents of EVT files to clear text in order to index them. The Windows 2003 version of that API has occasionally shown some compatibility issues which post-Windows Vista versions (notably Windows 2008) have not.

The solution is to re-adapt the architecture of your Splunk deployment so that the splunkd process that reads these EVT files does so while running on a Windows Vista (or more recent) operating system.

This would involve one of the following possibilities :

  • Upgrade the operating system of the machine running the Splunk instance that is reading your EVT files to Windows Vista or later.
  • Move/reinstall the Splunk instance that is reading your EVT file to another server running Windows Vista or later.
  • Set up another server running Windows Vista or later as a forwarder and read the EVT files from the newly-installed forwarder.

View solution in original post

hexx
Splunk Employee
Splunk Employee

This is in all likelihood a known issue with the Windows event log reader API that Splunk calls to convert the contents of EVT files to clear text in order to index them. The Windows 2003 version of that API has occasionally shown some compatibility issues which post-Windows Vista versions (notably Windows 2008) have not.

The solution is to re-adapt the architecture of your Splunk deployment so that the splunkd process that reads these EVT files does so while running on a Windows Vista (or more recent) operating system.

This would involve one of the following possibilities :

  • Upgrade the operating system of the machine running the Splunk instance that is reading your EVT files to Windows Vista or later.
  • Move/reinstall the Splunk instance that is reading your EVT file to another server running Windows Vista or later.
  • Set up another server running Windows Vista or later as a forwarder and read the EVT files from the newly-installed forwarder.

t9445
Path Finder

We had the same issues UF v6.4.1 (latest at this time), and earlier revs - if we restarted the UF it would go away however eventually come back (all current windows flavors) - we have 1000's of hosts so we see the issue perhaps more than most - we actually built an an alert/ restart of the UFs having the condition

by changing evt_resolve_ad_obj from 1 to 0 the issue has been (so-far) not been seen (not sure we like the solution, however better than sporadically getting completely bogus security event Messages)

hth

0 Karma

cmeo
Contributor

What a mad system those sons of fun at Redmond have come up with.

0 Karma

cmeo
Contributor

Sorry I'm having a bad brain day. It's all there in the docs--you need to load relevant DLLs on the export-to machine, and/or save display text when exporting.

0 Karma

hexx
Splunk Employee
Splunk Employee

This is a different problem. For the Windows event log viewer to be able to open and read an EVT file exported from a different system, any local DLLs referenced by the exporting system when writing the event logs need to also exist on the system reading the EVT file.

cmeo
Contributor

Not sure it's that simple. I have a similar setup--copied event logs from a w2k3 server to a win7 splunk install to work on some searches. Event viewer in win7 can't find most of the display text, so no wonder splunk hasn't got it. Stupidly, it looks like the display text is not necessarily saved with the events and the only way you can see it is to install the same software on the machine you're viewing on! If someone knows how to sort this out, I'd love to know how.

Also event viewer says there are 17100 events in my file, but splunk only sees 1881. What's going on with that?

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...