Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SPLUNK Universal Forwarder on Windows Server Core

KevinMurray
Explorer
‎02-06-2018 07:21 AM

I have several domain controllers, running the core version of Windows Server, reporting these errors in the splunkd logs:

01-30-2018 03:36:50.596 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" splunk-regmon - startDriver - StartService failure for splunkdrv! Error = 201-30-2018 03:36:50.596 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" splunk-regmon - WinRegistryMonitor::StartDriver: Unable to install driver.01-30-2018 03:36:50.596 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" splunk-regmon - stopDriver - Service 'splunkdrv' could not be stopped!  Error = 1062
01-30-2018 03:36:51.002 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"" splunk-monitornohandle - GetServiceHandle - OpenService failure for 'SplunkMonitorNoHandle'!  Error = 1060
01-30-2018 03:36:51.002 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"" splunk-monitornohandle - runWinMonitorNoHandleMon: Could not connect to filter driver 0x80070002
01-30-2018 03:36:51.002 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"" splunk-monitornohandle - DisplayError: %01-30-2018 03:36:51.002 -0700 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"" splunk-monitornohandle - GetServiceHandle - OpenService failure for 'SplunkMonitorNoHandle'!  Error = 1060

I would appreciate any help resolving these. I'm assuming since it is the "core" O/S, there is something locked down or missing that is required for SPLUNK to gather the data.

Reply

dbot2001
Path Finder
‎02-19-2021 05:56 AM

Run "Repair' or reinstall the Splunk Application

0 Karma
Reply

ansif
Motivator
‎02-06-2018 08:59 PM

For me a reboot helped.

You can also check the user permissions.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...