Since we upgrades our UF to v7.2.9, we are seeing lots of application crash errors in the application event log on our hosts. This is happening on large volumes of hosts. Initially I thought it may be a specific counter, but it occurs when the Splunk-Perfmon.exe process is running, even if no perfmon collection is occurring. I don't see any errors in Splunk itself and the Splunk-Perfmon process itself keeps running and sending data. Looking into these errors, there seems to be some suggestion this is related to "data execution prevention" which is blocking Splunk trying to run code in data memory (error include code c0000005 which is an access denied error) , but I have not been able to confirm this. servers previously running v6 did not show this error, only when upgraded did the error start to appear.
example error below
SourceName=Windows Error Reporting
EventCode=1001
EventType=4
Type=Information
ComputerName=xxxxxxxxxxxx
TaskCategory=The operation completed successfully.
OpCode=Info
RecordNumber=230239
Keywords=Classic
Message=Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Problem signature:
P1: splunk-perfmon.exe
P2: 1794.2305.24028.63924
P3: 5ddcfc22
P4: splunk-perfmon.exe
P5: 1794.2305.24028.63924
P6: 5ddcfc22
P7: c0000005
P8: 00000000005bc5d8
P9:
P10:
Attached files:
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_splunk-perfmon.e_2f9ed6fb118b57ac0e734f67ff573c73ad1654a_64da0b14_48835327
We are also experiencing the same issue on Windows Server 2019 with UF 7.3.71. Any updates to this?
I can see the exact same issue with forwarders +8, but only on Win Servers 2019. Has anyone found a fix ?
Did you happen to find a solution to this? I'm encountering a similar issue.