Getting Data In

Splunk for Exchange 2010 error

tdesaules
New Member

Hi !

I have a lot's of errors like that, when I try to log an Exchange server :

10-19-2011 20:37:04.309 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe" -noui" splunk-perfmon - Unable to add counter '\MSExchangeIS Mailbox()\Messages Sent/sec' error 0xc0000bb8
10-19-2011 20:37:04.309 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe" -noui"
ERROR splunk-perfmon - Perfmon - Invalid counter -
10-19-2011 20:37:04.309 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe" -noui" splunk-perfmon - Unable to add counter '\MSExchangeIS Mailbox(
)\Messages Submitted/sec' error 0xc0000bb8
10-19-2011 20:37:04.309 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe" -noui"
ERROR splunk-perfmon - Perfmon - Invalid counter -
10-19-2011 20:37:04.309 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe" -noui" splunk-perfmon - Unable to add counter '\MSExchangeIS Mailbox()\Messages Queued for Submission' error 0xc0000bb8
10-19-2011 20:37:04.309 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe" -noui"
ERROR splunk-perfmon - Perfmon - Invalid counter -
10-19-2011 20:37:04.309 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe" -noui" splunk-perfmon - Unable to add counter '\MSExchangeImap4(
)\Authenticate Failures' error 0xc0000bb8
10-19-2011 20:37:04.309 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe" -noui"
ERROR splunk-perfmon - Perfmon - Invalid counter -
10-19-2011 20:37:04.309 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe" -noui" splunk-perfmon - Unable to add counter '\MSExchangeImap4()\Login Failures' error 0xc0000bb8
10-19-2011 20:37:04.309 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe" -noui"
ERROR splunk-perfmon - Perfmon - Invalid counter -
10-19-2011 20:37:04.309 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe" -noui" splunk-perfmon - Unable to add counter '\MSExchangeImap4(
)\Current Connections' error 0xc0000bb8
10-19-2011 20:37:04.309 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe" -noui"
ERROR splunk-perfmon - Perfmon - Invalid counter -
10-19-2011 20:37:04.309 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe" -noui" splunk-perfmon - Unable to add counter '\MSExchangeImap4()\Connections Rejected' error 0xc0000bb8
10-19-2011 20:37:04.309 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe" -noui"
ERROR splunk-perfmon - Perfmon - Invalid counter -
10-19-2011 20:37:04.309 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe" -noui" splunk-perfmon - Unable to add counter '\MSExchangeImap4(
)\Average Command Processing Time' error 0xc0000bb8
10-19-2011 20:37:04.309 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe" -noui"
ERROR splunk-perfmon - Perfmon - Invalid counter -

Somebody have an idea ?

Tags (3)
0 Karma

tdesaules
New Member

Great that is working !
Thanks you very much !

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

You have two unassociated problems here.

Problem #1: Perfmon collection is not working on your CAS server.

This is probably because you are using a foreign language version of Exchange. In this case, the counters are translated by Microsoft, and do not have the same name. In order to fix this, you will need to adjust perfmon.conf to collect the right thing (you should attempt to find out what the right thing is by running perfmon.exe and finding the correct counters). You will also need to adjust the searches in the *-performance.xml files (in Splunk_for_Exchange/default/data/ui/views) so that the searches match what is being collected.

This is not the only area that requires adjustment for foreign language support, so don't be surprised if dashboards relying on the Windows Event Log are similarly broken. I'll be glad to work with you for support of your language. Contact msexchange@splunk.com to set this up.

Problem #2: Powershell scripts are not being decoded properly, with line breaker problems.

This problem is likely because you have not placed the fwd-apps.zip, unpacked, everywhere it needs to be. The next release of Splunk App for Microsoft Exchange will fix this problem. Until then, unpack fwd-apps.zip on indexer and search head and ensure the appropriate fwd_exchange* apps are deployed on your Universal Forwarder that sits on the exchange server. There is some excellent documentation on this subject on http://docs.splunk.com

0 Karma

tdesaules
New Member

It's fron a Windows 2008R2 with Exchange 2010
(actually I have a secondary problem, transform doesn't work :

User="Administrateur" Database="Mailbox Database 0713983097" MinQuota=2147483648 ProhibitSendQuota=2147483648 ProhibitSendReceiveQuota=2469396480 TotalItemSize=4791 TotalDeletedItemSize=0
User="t.desaules" Database="Mailbox Database 0713983097" MinQuota=2147483648 ProhibitSendQuota=2147483648 ProhibitSendReceiveQuota=2469396480 TotalItemSize=25255 TotalDeletedItemSize=0
User="v.vdb" Database="Mailbox Database 0713983097" MinQuota=2147483648 ProhibitSendQuota=2147483648 ProhibitSendReceiveQuota=2469396480 TotalItemSize=134 TotalDeletedItemSize=0
User="d.esteban" Database="Mailbox Database 0713983097" MinQuota=2147483648 ProhibitSendQuota=2147483648 ProhibitSendReceiveQuota=2469396480 TotalItemSize=134 TotalDeletedItemSize=0
User="y.prigent" Database="Mailbox Database 0713983097" MinQuota=2147483648 ProhibitSendQuota=2147483648 ProhibitSendReceiveQuota=2469396480 TotalItemSize=7822 TotalDeletedItemSize=0
User="m.mq" Database="Mailbox Database 0713983097" MinQuota=2147483648 ProhibitSendQuota=2147483648 ProhibitSendReceiveQuota=2469396480 TotalItemSize=134 TotalDeletedItemSize=0
User="pierre" Database="Mailbox Database 0713983097" MinQuota=2147483648 ProhibitSendQuota=2147483648 ProhibitSendReceiveQuota=2469396480 TotalItemSize=39094 TotalDeletedItemSize=134
User="tom" Database="Mailbox Database 0713983097" MinQuota=2147483648 ProhibitSendQuota=2147483648 ProhibitSendReceiveQuota=2469396480 TotalItemSize=3466 TotalDeletedItemSize=0
User="paul" Database="Mailbox Database 0713983097" MinQuota=2147483648 ProhibitSendQuota=2147483648 ProhibitSendReceiveQuota=2469396480 TotalItemSize=3476 TotalDeletedItemSize=0
User="tim" Database="Mailbox Database 0713983097" MinQuota=2147483648 ProhibitSendQuota=2147483648 ProhibitSendReceiveQuota=2469396480 TotalItemSize=45480 TotalDeletedItemSize=25436
User="SM_643a26be6da44648b" Database="Mailbox Database 0713983097" MinQuota=53687091200 ProhibitSendQuota=53687091200 ProhibitSendReceiveQuota=53687091200 TotalItemSize=134 TotalDeletedItemSize=0
User="splunk" Database="Mailbox Database 0498383767" MinQuota=2147483648 ProhibitSendQuota=2147483648 ProhibitSendReceiveQuota=2469396480 TotalItemSize=0 TotalDeletedItemSize=0

it's one log... strange no ?

0 Karma

malmoore
Splunk Employee
Splunk Employee

Does this server hold all of the Exchange server roles?

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

This is from a CAS server, obviously. What version of Windows, IIS and Exchange are you running?

In the short version, the Perfmon counters that we are expecting to be available are not available.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...