Re: Introspecting scheme=WinEventLog: killing proc...

thy666 · ‎11-05-2017

I met an error to start collecting WinEventLog when starting Universal Forwarder 6.6.2 on Windows Server 2008R2(x64). The streamfwd.exe worked well on the same host. Do you have same situation, and idea?

10-29-2017 19:38:05.421 +0900 ERROR ModularInputs - Unable to initialize modular input "WinEventLog" defined in the system context: Introspecting scheme=WinEventLog: script running failed (exited with code 0).
10-29-2017 19:38:05.156 +0900 ERROR ModularInputs - Introspecting scheme=WinEventLog: killing process, because executing it took too long (over 30000 msecs).

mbadhusha_splun · ‎11-27-2018

Disable all other stanzas. Leave only the affected stanza enabled.
Run the input from the command line to see if it can read events. $ splunk cmd splunkd print-modinput-config WinEventLog | splunk-WinEvtLog.exe
Remove the checkpoint file (make a copy of it first) and restart Splunk service.
Run the input again to see if it can read events.

If this is because of the checkpoint file, step 2 will not produce events. Step 4 should produce events.

On the UF, run command prompt as administrator
Navigate to $SPLUNK_HOME\bin
Run the below two commands,

$ set SPLUNK_HOME="c:\program files\SplunkUniversalForwarder"

$ splunk cmd splunkd print-modinput-config WinEventLog

You can consider upgrading the affected Splunk UF's as well.

Cheers!

Introspecting scheme=WinEventLog: killing process, because executing it took too long

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation