Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

UF - WinEventLog Security collection error - GUID translation failure

olivier_guisneu
Engager
‎07-13-2023 01:38 AM

Hi,

We deployed an UF on a Win server 2022 and enabled the [WinEventLog://Security] log collection. 

The log collection stops for hours sometime, and we see this error :

ERROR ExecProcessor [6468 ExecProcessor] - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - WinEventLogChannelBase::transADObject: Failed to convert guid string to guid structure: Invalid class string

After a few hours or minutes (randomly), Splunk starts again the log collection and then stops again. And all of that witout any service restart.

It only happens with Security Event logs. No issue with Application or System.

 

Has anyone seen this error before?

Splunk UF version : 9.0.5 (64bits)
Splunk_TA_windows : 8.7.0

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution

splunkaderpa
Engager
‎02-13-2024 07:08 AM

I'm having the same exact error on Server 2022, except with UF v9.1.3.

0 Karma
Reply
Solved! Jump to solution

JasmitaWalia
Observer
‎01-30-2024 05:09 AM

@olivier_guisneu  Did you reach out to splunk support? I am facing similar issue.

0 Karma
Reply
Solved! Jump to solution
Solution

olivier_guisneu
Engager
‎01-30-2024 07:02 AM

We upgraded the UF to v 9.0.6 and it solved our issue

https://docs.splunk.com/Documentation/Splunk/9.0.6/ReleaseNotes/Fixedissues#Windows-specific_issues

Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎07-14-2023 02:50 AM

@olivier_guisneu - I don't see that as a Known issue with Splunk. If you have Splunk license, you can raise a Splunk support case for this.

 

I hope this helps!! Consider upvoting!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...