Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to troubleshoot why we are seeing unexpected characters in Windows event logs in Splunk?

lukasz92
Communicator
‎05-11-2016 01:37 AM

Hi,

I have a serious problem with logs.. some events (below 0.01%) have strange characters.
- such strange characters seems to not repeat (all are unique)
- there are no regional characters in events - OS has english language set
- it affects mainly Splunk processes, but not only
- for one selected host - there are "good" and "bad" process names. For example host ending with "PAL01" has hundreds of events with "splunk-powershell.exe" process name, and one with chinese artifacts.

My example search to find such hosts:

index="wineventlog" host=* (EventID=4688 OR EventID=861) NewProcessName=* SubjectUserName=* *splunk-pow* NOT *splunk-power*

What is going on? It is a serious problem, because we don't know how many artifacts are there and how to find them all.alt text

Preview file
85 KB
Reply

sjohnson_splunk
Splunk Employee
Splunk Employee
‎05-25-2016 07:27 AM

I suggest that you examine the actual event logs on one of the servers with the event viewer and see if it originates there. If the logs are OK I would re-install the UF on those servers.

0 Karma
Reply

buysse
Explorer
‎10-12-2016 08:35 AM

lukasz92 - did reinstalling work to eliminate the artifacts?

We're seeing the same thing. What versions were you running (our forwarders are on 6.3.2, indexers on 6.4.3)?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-23-2016 07:00 AM

What is creating these event logs?

0 Karma
Reply

lukasz92
Communicator
‎05-24-2016 01:24 AM

I don't understand your question.

They are forwarded to indexers with input:

[WinEventLog://Security]
disabled = 0
current_only = 1
index = wineventlog
renderXml=true

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-24-2016 05:33 AM

Valid answers might include McAfee antivirus, custom GPOs, UAC, standard windows auditing when access is granted, custom software, etc.

0 Karma
Reply

lukasz92
Communicator
‎05-25-2016 05:35 AM

This is only WinEventLog. I catch the events with EventCode 4688.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-25-2016 05:45 AM

Yeah doesnt make much sense unless there is some data corruption along the way... packet loss, pinched network cable, disk corruption, etc.

0 Karma
Reply

MuS
Legend
‎05-11-2016 01:56 PM

Hi lukasz92,

check the CHARSET = <string> in props.conf for this sourcetype on the universal forwarder. Maybe you need to adjust this in your case http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/Propsconf#GLOBAL_SETTINGS

cheers, MuS

Reply

lukasz92
Communicator
‎05-24-2016 01:22 AM

Changed also on forwarders. It didn't help.

0 Karma
Reply

lukasz92
Communicator
‎05-23-2016 01:30 AM

I changed it to CP1252, it didn't help - strange characters appear.

  • I observed that number of strange characters usually equals number of normal characters that should be in this place
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...