Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Some Local Windows Eventlogs not being indexed

marcpatron
Explorer
‎10-30-2012 06:38 PM

I am trying to index the local windows eventlogs, but there appears to be an issue reading the "Security" eventlog, and is then no longer indexing all the logs ongoing. On restart of splunk the logs are being processed alphabetically, with a Processing event then a Finished event. It appears the Security log gets a Processing event, but not a Finished event.

I have cleared the Security Log (and other logs aswell), but the issue persists.

Has anyone else seen this issue?

\var\log\splunk\splunkd.log - Splunk 4.3.2 on Windows

10-31-2012 12:19:20.240 +1100 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Security'

10-31-2012 12:18:59.194 +1100 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Internet Explorer': total_events='0' with empty_msg='0'.

10-31-2012 12:18:59.194 +1100 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Internet Explorer'

10-31-2012 12:18:59.194 +1100 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'HardwareEvents': total_events='0' with empty_msg='0'.

10-31-2012 12:18:59.194 +1100 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'HardwareEvents'

10-31-2012 12:18:59.194 +1100 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'ForwardedEvents': total_events='249' with empty_msg='0'.

10-31-2012 12:18:58.367 +1100 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'ForwardedEvents'

10-31-2012 12:18:58.367 +1100 INFO WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Application': total_events='0' with empty_msg='0'.

10-31-2012 12:18:58.367 +1100 INFO WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Application'

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marcpatron
Explorer
‎11-21-2012 03:27 PM

The problem has been solved.

At the same time of a bunch of other changes, some firewall rules were put in place around the Splunk server. The WinEventLog:Security input by default looks up AD to resolve SID's in events (evt_resolve_ad_obj = 1). This uses RPC ports to communicate to the AD servers. I have disabled this setting (evt_resolve_ad_obj = 0) and all event logs are now being indexed once again. There appears to be no issue with resolved usernames in the eventlogs.

I discovered this in the splunkd.log with DEBUG turned on for WinEventLog*. Initially the following entries appear just as the Security log was begining to be processed:

WinEventLogChannel - EvtDC::bind: Found DC='\SERVER1.xyz.loc', DCsite='XYZ', ClientSite = 'XYZ', Domain='xyz.loc'
WinEventLogChannel - connectToDC: DsBind failed: (1722)'The operation completed successfully.'
WinEventLogChannel - init: Failed to bind to DC, dc_bind_time=21140 msec

Then every 21 seconds:

WinEventLogChannel - connectToDC: DsBind failed: (1722)'The operation completed successfully.'
WinEventLogChannel - WinEventLogChannel::translateSidLocally Translating sids locally...

I assume that the events were being indexed, just very slowly, so that it would appear to never finish indexing the security log and move onto other logs.

I have reviewed the firewall rules and need to allow the blocked RPC port (tcp/1026).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

marcpatron
Explorer
‎11-21-2012 03:27 PM

The problem has been solved.

At the same time of a bunch of other changes, some firewall rules were put in place around the Splunk server. The WinEventLog:Security input by default looks up AD to resolve SID's in events (evt_resolve_ad_obj = 1). This uses RPC ports to communicate to the AD servers. I have disabled this setting (evt_resolve_ad_obj = 0) and all event logs are now being indexed once again. There appears to be no issue with resolved usernames in the eventlogs.

I discovered this in the splunkd.log with DEBUG turned on for WinEventLog*. Initially the following entries appear just as the Security log was begining to be processed:

WinEventLogChannel - EvtDC::bind: Found DC='\SERVER1.xyz.loc', DCsite='XYZ', ClientSite = 'XYZ', Domain='xyz.loc'
WinEventLogChannel - connectToDC: DsBind failed: (1722)'The operation completed successfully.'
WinEventLogChannel - init: Failed to bind to DC, dc_bind_time=21140 msec

Then every 21 seconds:

WinEventLogChannel - connectToDC: DsBind failed: (1722)'The operation completed successfully.'
WinEventLogChannel - WinEventLogChannel::translateSidLocally Translating sids locally...

I assume that the events were being indexed, just very slowly, so that it would appear to never finish indexing the security log and move onto other logs.

I have reviewed the firewall rules and need to allow the blocked RPC port (tcp/1026).

0 Karma
Reply
Solved! Jump to solution

splunkIT
Splunk Employee
Splunk Employee
‎03-13-2013 10:47 AM

Also see this Answers thread:

http://splunk-base.splunk.com/answers/75970/forwarder-shows-extreme-lag-or-latency-when-sending-wind...

0 Karma
Reply
Solved! Jump to solution

marcpatron
Explorer
‎10-30-2012 09:06 PM

I am indexing using Local Event Log collection, configured in the Windows App, not via monitoring the .evtx files. The server is Win2008.

0 Karma
Reply
Solved! Jump to solution

rovechkin_splun
Splunk Employee
Splunk Employee
‎10-30-2012 08:59 PM

can you please clarify your scenario? Are you indexing evtx logs by pointing Splunk to the directory?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...