Getting Data In

Is anyone else getting "Splunk could not get the description..." after a Windows update using Splunk 6.3.2?

bbeavise2g
Explorer

Not so much a question, but an observation looking for confirmation. If true, looking to spread the word.

Recently our Windows Security event alerts for group changes have been blank. The event log entry corresponding to the change shows "Splunk could not get the description...". After reading many outdated articles with little to no success, and updating as much as I was willing, I discovered the trend. This message only came from domain controllers after a recent Windows Update. I correlated the updates between two servers and eliminated the updates which did not change anything event log related. This is based on the Universal Forwarder using Windows DLLs/APIs to read the event logs. I narrowed it down to 3 candidates and picked the what I felt was the culprit. I uninstalled the update and event details resumed. The update in question is related to KB3146706 and is titled MS16-044: Security update for Windows OLE: April 12, 2016

Has this update messed with anyone else? Or if you have this behavior and are willing to uninstall this update, can you confirm this?

Where else to spread the word, if true?

Also note, this is not a Splunk issue, since I also send logs via an rsyslog agent and its format was messed up.

For the curious, I think the two DLLs in question are Adtschema.dll and Msaudite.dll, but this update changes several files.

If it matters, my Splunk indexer and such are on Linux. The Windows systems use the Universal Forwarder.

1 Solution

bbeavise2g
Explorer

I was just able to apply recent updates and it seems KB3153171, MS16-060 and MS16-061: Description of the security update for RPC and for Windows kernel: April 12, 2016, has updated versions of Adtschema.dll and Msaudite.dll. So far in my testing, this seems to resolve the issue.

This experience has enlightened me to how the Universal Forwarder functions, by calling Windows DLLs, and hopefully can help others debug similar issues.

View solution in original post

0 Karma

bbeavise2g
Explorer

I was just able to apply recent updates and it seems KB3153171, MS16-060 and MS16-061: Description of the security update for RPC and for Windows kernel: April 12, 2016, has updated versions of Adtschema.dll and Msaudite.dll. So far in my testing, this seems to resolve the issue.

This experience has enlightened me to how the Universal Forwarder functions, by calling Windows DLLs, and hopefully can help others debug similar issues.

View solution in original post

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!