Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I getting error "Received event for unconfigured/disabled/deleted index="wineventlog"" when the index does exist?

Epicism1
Explorer
‎02-09-2016 01:18 PM

Hello,

I am trying to log the Sysmon/Operational Windows event logs via the Sysmon TA app:

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
index=wineventlog

But when I push the app to the Universal Forwarders on my Windows boxes, I am receiving the error:

Received event for unconfigured/disabled/deleted index="wineventlog" with source="source::WinEventLog:Microsoft-Windows-Sysmon/Operational" host="host::XX" sourcetype="sourcetype::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational". So far received events from 1 missing index(es).

The challenge is that the index does exist and is enabled:
alt text

It was originally created by the Windows TA app, so I deleted it, recreated it, put it in indexes.conf, but nothing. I cannot see the issue.

Any help would be appreciated.

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Epicism1
Explorer
‎02-13-2016 10:20 AM

So I figured out what the issue is. I set the index in inputs.conf which made the hard-coded checksum fail and refuse to install

The universal forwarder splunkd.log has the error:

02-06-2016 05:15:54.061 -0500 INFO  DeployedApplication - Checksum mismatch 0 <> 7566232508823169641 for app=TA-microsoft-sysmon. Will reload from='splunk.projectmayhem.local:8089/services/streams/deployment?name=default:Windows%20Event%20Logs:TA-microsoft-sysmon'
02-06-2016 05:15:54.076 -0500 INFO  DeployedApplication - Downloaded url=splunk.projectmayhem.local:8089/services/streams/deployment?name=default:Windows%20Event%20Logs:TA-microsoft-sysmon to file='C:\Program Files\SplunkUniversalForwarder\var\run\Windows Event Logs\TA-microsoft-sysmon-1454471855.bundle' sizeKB=30
02-06-2016 05:15:54.076 -0500 WARN  DeployedApplication - app=TA-microsoft-sysmon, installed_via="search head cluster deployer, UI, CLI, or REST API", checksum=0b39270c03e818fb6bcadcf51781171cc69e07ce
02-06-2016 05:15:54.076 -0500 WARN  DeployedApplication - app=TA-microsoft-sysmon was already installed via search head cluster deployer, UI, CLI, or REST API; it may not be overridden via deployment server; remove existing app=TA-microsoft-sysmon via search head cluster deployer, UI, CLI, or REST API if you wish to install it via deployment server
02-06-2016 05:15:54.076 -0500 ERROR DeployedServerclass - name=Windows Event Logs Failed to install app=TA-microsoft-sysmon

To fix it I removed the checksum in the app.conf file.

Thanks for your help.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Epicism1
Explorer
‎02-13-2016 10:20 AM

So I figured out what the issue is. I set the index in inputs.conf which made the hard-coded checksum fail and refuse to install

The universal forwarder splunkd.log has the error:

02-06-2016 05:15:54.061 -0500 INFO  DeployedApplication - Checksum mismatch 0 <> 7566232508823169641 for app=TA-microsoft-sysmon. Will reload from='splunk.projectmayhem.local:8089/services/streams/deployment?name=default:Windows%20Event%20Logs:TA-microsoft-sysmon'
02-06-2016 05:15:54.076 -0500 INFO  DeployedApplication - Downloaded url=splunk.projectmayhem.local:8089/services/streams/deployment?name=default:Windows%20Event%20Logs:TA-microsoft-sysmon to file='C:\Program Files\SplunkUniversalForwarder\var\run\Windows Event Logs\TA-microsoft-sysmon-1454471855.bundle' sizeKB=30
02-06-2016 05:15:54.076 -0500 WARN  DeployedApplication - app=TA-microsoft-sysmon, installed_via="search head cluster deployer, UI, CLI, or REST API", checksum=0b39270c03e818fb6bcadcf51781171cc69e07ce
02-06-2016 05:15:54.076 -0500 WARN  DeployedApplication - app=TA-microsoft-sysmon was already installed via search head cluster deployer, UI, CLI, or REST API; it may not be overridden via deployment server; remove existing app=TA-microsoft-sysmon via search head cluster deployer, UI, CLI, or REST API if you wish to install it via deployment server
02-06-2016 05:15:54.076 -0500 ERROR DeployedServerclass - name=Windows Event Logs Failed to install app=TA-microsoft-sysmon

To fix it I removed the checksum in the app.conf file.

Thanks for your help.

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-14-2016 08:33 PM

Why that would cause the message you saw on the indexer I am not sure, but I am glad you figured it out!

0 Karma
Reply
Solved! Jump to solution

Epicism1
Explorer
‎02-15-2016 06:22 AM

Yeah, that part is weird because it seems to me like it shouldn't be attempting to send any logs to the indexer. Weird.

0 Karma
Reply
Solved! Jump to solution

bandit
Motivator
‎02-10-2016 07:13 PM

If you haven't already done so, I would try restarting your indexers to ensure they are initializing the indexes.conf config updates.

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-09-2016 03:37 PM

Can you run sudo ./splunk cmd btool indexes list --debug | grep -A 10 "\[wineventlog" on your indexer and share the output, please?

0 Karma
Reply
Solved! Jump to solution

Epicism1
Explorer
‎02-09-2016 04:23 PM 
/opt/splunk/etc/system/local/indexes.conf                    [wineventlog]
/opt/splunk/etc/system/default/indexes.conf                  assureUTF8 = false
/opt/splunk/etc/system/default/indexes.conf                  bucketRebuildMemoryHint = auto
/opt/splunk/etc/system/local/indexes.conf                    coldPath = $SPLUNK_DB/wineventlog/colddb
/opt/splunk/etc/system/default/indexes.conf                  coldPath.maxDataSizeMB = 0
/opt/splunk/etc/system/default/indexes.conf                  coldToFrozenDir =
/opt/splunk/etc/system/default/indexes.conf                  coldToFrozenScript =
/opt/splunk/etc/system/default/indexes.conf                  compressRawdata = true
/opt/splunk/etc/system/default/indexes.conf                  defaultDatabase = main
/opt/splunk/etc/system/default/indexes.conf                  enableDataIntegrityControl = false
/opt/splunk/etc/system/default/indexes.conf                  enableOnlineBucketRepair = true
0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-09-2016 05:13 PM

Hmmm, that is weird. When you run a search on the indexer using index=wineventlog, do you see data? Your screenshot suggests there should be events in it.
The only other thing I can think of is some weird non-printable control character in your inputs.conf.

0 Karma
Reply
Solved! Jump to solution

Epicism1
Explorer
‎02-09-2016 08:32 PM

Yes, security and application event logs are streaming in no problem. I'll try running dos2unix on the inputs.conf file...

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-09-2016 09:43 PM

I think that is a great idea... Please report back.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...