Splunk appears to be calling "Win32_Product" WMI function that triggers a consistency check of installed applications causing numberous 1035 event codes to be generated in the event log (approximately 100 every 10 minutes). It appears to correlate nicely with perfmon queries.
eventtype="wineventlog_windows" sourcetype="WinEventLog:*" EventCode=1035 SourceName=MsiInstaller
I can confirm that, through PowerShell, executing "Get-WmiObject Win32_Product" does indeed trigger the 1035 events/
I've looked through our configs and have verified that we are not running a Win32_Product WMI query explicitly and I verified that running the Splunk command 'splunk-wmi' does not trigger the generation of 1035 events.
Not all machines exhibit this problem and we have not been able to determine a pattern on why some are affected and others are not.
Software
More information in Microsoft KB article:
This problem was fixed in Splunk 6.3.0. I've personally verified it with Splunk 6.3.2 Universal Forwarder.
We have problem with splunk generating multiple events with event id 1035 generated by MsiInstaller. I have upgraded Splunk from 7.0.0 to 7.3.1, still no use. We are running on Windows Server 2016. Any help would be much appreciated. Thanks in advance.
Note that the every 10 minutes issue for us appears to be tied to WinHostMon stanzas. The default interval for WinHostMon is every 10 minutes. Procmon is currently set to every 1 minute for us so I don't believe this to be causing the issue.
This problem was fixed in Splunk 6.3.0. I've personally verified it with Splunk 6.3.2 Universal Forwarder.
I have same problem. Applications Event logs are filled with multiple events with id 1035 generated by MsiInstaller. I upgraded Splunk from 7.0.0 to 7.3.1, still no use. We are running on Windows Server 2016. Any help would be much appreciated. Thanks in advance.