- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: ForwardedEvents ingestion broken after update ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ForwardedEvents ingestion broken after update to 9.1
This is an informational post rather than a question.
If you use WEF to gather logs from your infrastructure to a single point from which you pick them up with
[WinEventLog://ForwardedEvents]
You might notice that this input can stop working after you upgrade to 9.1.0 (or above).
The forwarder will log to splunkd.log errors about wrong event format
Invalid WEC content-format:'Events', for splunk-format = rendered_eventSee the description for the 'wec_event_format' setting at $SPLUNK_HOME/etc/system/README/inputs.conf.spec for more details
If you go to the inputs.conf spec file (either in the readme directory or on the Splunk website) you'll find the wec_event_format parameter (which was not present in versions up to 9.0.6) which must correspond with the setting in the WEF subscription settings. If the wec_event_format is "wrong" (the most typical situation will be when the WEF subscription is created as Events and the UF uses the default rendered_event value) , you need to set
wec_event_format = raw_event
in your input definition.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have wasted so many hours trying to troubleshoot why my ForwardedEvents were not being ingested into the index.
Thank you, this fixed the issue.
The formatting of the search is very different though, and not all fields are showing up in the results; not sure why.
Edit: So how can I get new ingested events to look the same? And have the same fields?
E.g. I'm only using Splunk to ingest forwarded applocker logs. I can't display fields for publisher or file path for newly ingested events. They only show up for old ones that were ingested before the issue.
Edit 2: Fixed it I think by adding this line back in:
renderXML = 1- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's actually worse. Splunk doesn't allow you to set the wec_event_format to RenderedText if the channel name doesn't start with ForwardedEvents.
10-20-2023 12:49:20.893 +0200 ERROR ExecProcessor [6396 ExecProcessorSchedulerThread] - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - WinEventLogChannelBase::enumLocalWECSubscriptions: subscription:'Applocker' - Invalid WEC destination channel ACME-WEC-Workstations/Applocker for content format RenderedText. RenderedText format is supported only on ForwardedEvents or custom channels named ForwardedEvents-1, ForwardedEvents-2, etc.Consider creating custom channels as the destination log, or change the content format of the subscription to "Events". See the description for the 'wec_event_format' setting at $SPLUNK_HOME/etc/system/README/inputs.conf.spec for more details. Also you can't set wec_event_format as 'Events' for ForwardedEvents channel and forget about having mixed events in the same channel.
It's amazing how such a breaking change was introduced under the carpet.
Monitoring Postgres with OpenTelemetry
Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly
Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor
