Getting Data In

Remote Eventlog Collection stopped working

New Member

Hello everone,

on the weekend i messed up the Splunk Installation whith the try to move the Database to a different place. But because i'm just starting using splunk a quick reinstall got it back working... well all except Remote eventlog Collection (via WMI)

I created a new Data Input selected only the Application log on teh remote server, but nothing happens.

I checked with Splunk\bin>splunk-wmi -wql "select * from win32_service" -namespace \server\root\cimv2 if teh WMI Permissions are right and data came in just fine.

Then i tried it with renaming the wmi_checkpoint file (to force a reindex), but even after a restart nothing happens.

Any suggestion how to fix this is appreciated.

With regards,

Norbert

Tags (3)
0 Karma

New Member

ok... so far i have no luck.

  1. Filesystem Permissions are ok
  2. Domain Permissions are ok
  3. Virusscanner disabled on plunk server & target machine -> no results
  4. index=_internal source="*splunkd.log" wmi -> only 2 info entries since yesterday

12/21/10 4:12:01.588 PM

12-21-2010 16:12:01.588 INFO IndexProcessor - rtsearch connection terminated, filter = '[ AND index::main wmi ]', _actionStreams = 0

12/21/10 4:10:40.885 PM

12-21-2010 16:10:40.885 INFO IndexProcessor - rtsearch connection established, filter = '[ AND index::main wmi ]', _activeStreams = 1, queue_size = 10000, blocking = FALSE

It's like there isn't even an attempt to read the eventlogs from the remote machine.

0 Karma

Splunk Employee
Splunk Employee

Norbert,

I am assuming that you read this article.

http://answers.splunk.com/questions/9150/splunk-does-not-collect-wmi-events

Also, check that you anti-virus program is not restricting the file as well. I would recommend that you run the following search to look for any additional errors.

index=_internal source="*splunkd.log"

Check to see what are the WMI errors. I would be curious to know.

0 Karma