Hello,
I would like to index all print events generated on Windows Server 2012 Event log. The log is located under Windows Logs, Applications and Services, Microsoft, Windows, PrintService, Operational (and Admin).
I installed a Universal Forwarder on the print server then tried to view logs on my indexer, and the only Available Logs are the standard ones. If I look at Data Inputs for Local Log File Collection, the PrintService logs are available.
Here are the contents of my local\inputs.conf
[default]
host = PS-MAINOFFICE2
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[WinEventLog://Microsoft-Windows-PrintService/Admin]
disabled = 0
[WinEventLog://Microsoft-Windows-PrintService/Operational]
disabled = 0
Here's what shows in my splunkd.log on the print server:
02-27-2014 13:18:45.767 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WELCheckPoint::saveCheckpointStr: Unable to open checkpoint file='C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\microsoft-windows-printservice/operational' for write
02-27-2014 13:18:45.767 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::saveBookMark: Failed to save checkpoint_file='C:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\microsoft-windows-printservice/operational' for channel='microsoft-windows-printservice/operational'
02-27-2014 13:18:45.767 -0500 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::processLogChannel: Failed to checkpoint for channel='microsoft-windows-printservice/operational'
Am I missing something somewhere?
Thanks,
Mike
I don't know what happened, but the problem seemed to have fixed itself. I'm seeing print events now. A couple things to clarify:
FWIW, my Splunk Forwarder service runs under LocalSystem account, not a specific user account. Are you seeing the same errors I saw in my Splunk logs?
Looking for a solution to this as well.
Did you get a solution for this? I'm facing the same error and can not figure out what's going on.
thanks