Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

UF - WinEventLog Security collection error - GUID translation failure

olivier_guisneu
Engager
‎07-13-2023 01:38 AM

Hi,

We deployed an UF on a Win server 2022 and enabled the [WinEventLog://Security] log collection. 

The log collection stops for hours sometime, and we see this error :

ERROR ExecProcessor [6468 ExecProcessor] - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" WinEventCommonChannel - WinEventLogChannelBase::transADObject: Failed to convert guid string to guid structure: Invalid class string

After a few hours or minutes (randomly), Splunk starts again the log collection and then stops again. And all of that witout any service restart.

It only happens with Security Event logs. No issue with Application or System.

 

Has anyone seen this error before?

Splunk UF version : 9.0.5 (64bits)
Splunk_TA_windows : 8.7.0

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution

splunkaderpa
Engager
‎02-13-2024 07:08 AM

I'm having the same exact error on Server 2022, except with UF v9.1.3.

0 Karma
Reply
Solved! Jump to solution

JasmitaWalia
Observer
‎01-30-2024 05:09 AM

@olivier_guisneu  Did you reach out to splunk support? I am facing similar issue.

0 Karma
Reply
Solved! Jump to solution
Solution

olivier_guisneu
Engager
‎01-30-2024 07:02 AM

We upgraded the UF to v 9.0.6 and it solved our issue

https://docs.splunk.com/Documentation/Splunk/9.0.6/ReleaseNotes/Fixedissues#Windows-specific_issues

Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎07-14-2023 02:50 AM

@olivier_guisneu - I don't see that as a Known issue with Splunk. If you have Splunk license, you can raise a Splunk support case for this.

 

I hope this helps!! Consider upvoting!!

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...