I am using a Windows 2003 indexer to read Windows Event Log (EVT) files gathered from several other servers.
The events are indexed but the "Message" field for the events contains the following error :
Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt.
The contents of the "Message" field are then indexed but not as key/value pairs, which prevents Splunk's automatic field extractions from working.
How can I prevent this problem from happening?
This is in all likelihood a known issue with the Windows event log reader API that Splunk calls to convert the contents of EVT files to clear text in order to index them. The Windows 2003 version of that API has occasionally shown some compatibility issues which post-Windows Vista versions (notably Windows 2008) have not.
The solution is to re-adapt the architecture of your Splunk deployment so that the splunkd process that reads these EVT files does so while running on a Windows Vista (or more recent) operating system.
This would involve one of the following possibilities :
This is in all likelihood a known issue with the Windows event log reader API that Splunk calls to convert the contents of EVT files to clear text in order to index them. The Windows 2003 version of that API has occasionally shown some compatibility issues which post-Windows Vista versions (notably Windows 2008) have not.
The solution is to re-adapt the architecture of your Splunk deployment so that the splunkd process that reads these EVT files does so while running on a Windows Vista (or more recent) operating system.
This would involve one of the following possibilities :
We had the same issues UF v6.4.1 (latest at this time), and earlier revs - if we restarted the UF it would go away however eventually come back (all current windows flavors) - we have 1000's of hosts so we see the issue perhaps more than most - we actually built an an alert/ restart of the UFs having the condition
by changing evt_resolve_ad_obj from 1 to 0 the issue has been (so-far) not been seen (not sure we like the solution, however better than sporadically getting completely bogus security event Messages)
hth
What a mad system those sons of fun at Redmond have come up with.
Sorry I'm having a bad brain day. It's all there in the docs--you need to load relevant DLLs on the export-to machine, and/or save display text when exporting.
This is a different problem. For the Windows event log viewer to be able to open and read an EVT file exported from a different system, any local DLLs referenced by the exporting system when writing the event logs need to also exist on the system reading the EVT file.
Not sure it's that simple. I have a similar setup--copied event logs from a w2k3 server to a win7 splunk install to work on some searches. Event viewer in win7 can't find most of the display text, so no wonder splunk hasn't got it. Stupidly, it looks like the display text is not necessarily saved with the events and the only way you can see it is to install the same software on the machine you're viewing on! If someone knows how to sort this out, I'd love to know how.
Also event viewer says there are 17100 events in my file, but splunk only sees 1881. What's going on with that?