Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I getting error "Received event for unconfigured/disabled/deleted index="wineventlog"" when the index does exist?

Epicism1
Explorer
‎02-09-2016 01:18 PM

Hello,

I am trying to log the Sysmon/Operational Windows event logs via the Sysmon TA app:

[WinEventLog://Microsoft-Windows-Sysmon/Operational]
disabled = false
renderXml = true
index=wineventlog

But when I push the app to the Universal Forwarders on my Windows boxes, I am receiving the error:

Received event for unconfigured/disabled/deleted index="wineventlog" with source="source::WinEventLog:Microsoft-Windows-Sysmon/Operational" host="host::XX" sourcetype="sourcetype::XmlWinEventLog:Microsoft-Windows-Sysmon/Operational". So far received events from 1 missing index(es).

The challenge is that the index does exist and is enabled:
alt text

It was originally created by the Windows TA app, so I deleted it, recreated it, put it in indexes.conf, but nothing. I cannot see the issue.

Any help would be appreciated.

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Epicism1
Explorer
‎02-13-2016 10:20 AM

So I figured out what the issue is. I set the index in inputs.conf which made the hard-coded checksum fail and refuse to install

The universal forwarder splunkd.log has the error:

02-06-2016 05:15:54.061 -0500 INFO  DeployedApplication - Checksum mismatch 0 <> 7566232508823169641 for app=TA-microsoft-sysmon. Will reload from='splunk.projectmayhem.local:8089/services/streams/deployment?name=default:Windows%20Event%20Logs:TA-microsoft-sysmon'
02-06-2016 05:15:54.076 -0500 INFO  DeployedApplication - Downloaded url=splunk.projectmayhem.local:8089/services/streams/deployment?name=default:Windows%20Event%20Logs:TA-microsoft-sysmon to file='C:\Program Files\SplunkUniversalForwarder\var\run\Windows Event Logs\TA-microsoft-sysmon-1454471855.bundle' sizeKB=30
02-06-2016 05:15:54.076 -0500 WARN  DeployedApplication - app=TA-microsoft-sysmon, installed_via="search head cluster deployer, UI, CLI, or REST API", checksum=0b39270c03e818fb6bcadcf51781171cc69e07ce
02-06-2016 05:15:54.076 -0500 WARN  DeployedApplication - app=TA-microsoft-sysmon was already installed via search head cluster deployer, UI, CLI, or REST API; it may not be overridden via deployment server; remove existing app=TA-microsoft-sysmon via search head cluster deployer, UI, CLI, or REST API if you wish to install it via deployment server
02-06-2016 05:15:54.076 -0500 ERROR DeployedServerclass - name=Windows Event Logs Failed to install app=TA-microsoft-sysmon

To fix it I removed the checksum in the app.conf file.

Thanks for your help.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Epicism1
Explorer
‎02-13-2016 10:20 AM

So I figured out what the issue is. I set the index in inputs.conf which made the hard-coded checksum fail and refuse to install

The universal forwarder splunkd.log has the error:

02-06-2016 05:15:54.061 -0500 INFO  DeployedApplication - Checksum mismatch 0 <> 7566232508823169641 for app=TA-microsoft-sysmon. Will reload from='splunk.projectmayhem.local:8089/services/streams/deployment?name=default:Windows%20Event%20Logs:TA-microsoft-sysmon'
02-06-2016 05:15:54.076 -0500 INFO  DeployedApplication - Downloaded url=splunk.projectmayhem.local:8089/services/streams/deployment?name=default:Windows%20Event%20Logs:TA-microsoft-sysmon to file='C:\Program Files\SplunkUniversalForwarder\var\run\Windows Event Logs\TA-microsoft-sysmon-1454471855.bundle' sizeKB=30
02-06-2016 05:15:54.076 -0500 WARN  DeployedApplication - app=TA-microsoft-sysmon, installed_via="search head cluster deployer, UI, CLI, or REST API", checksum=0b39270c03e818fb6bcadcf51781171cc69e07ce
02-06-2016 05:15:54.076 -0500 WARN  DeployedApplication - app=TA-microsoft-sysmon was already installed via search head cluster deployer, UI, CLI, or REST API; it may not be overridden via deployment server; remove existing app=TA-microsoft-sysmon via search head cluster deployer, UI, CLI, or REST API if you wish to install it via deployment server
02-06-2016 05:15:54.076 -0500 ERROR DeployedServerclass - name=Windows Event Logs Failed to install app=TA-microsoft-sysmon

To fix it I removed the checksum in the app.conf file.

Thanks for your help.

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-14-2016 08:33 PM

Why that would cause the message you saw on the indexer I am not sure, but I am glad you figured it out!

0 Karma
Reply
Solved! Jump to solution

Epicism1
Explorer
‎02-15-2016 06:22 AM

Yeah, that part is weird because it seems to me like it shouldn't be attempting to send any logs to the indexer. Weird.

0 Karma
Reply
Solved! Jump to solution

bandit
Motivator
‎02-10-2016 07:13 PM

If you haven't already done so, I would try restarting your indexers to ensure they are initializing the indexes.conf config updates.

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-09-2016 03:37 PM

Can you run sudo ./splunk cmd btool indexes list --debug | grep -A 10 "\[wineventlog" on your indexer and share the output, please?

0 Karma
Reply
Solved! Jump to solution

Epicism1
Explorer
‎02-09-2016 04:23 PM 
/opt/splunk/etc/system/local/indexes.conf                    [wineventlog]
/opt/splunk/etc/system/default/indexes.conf                  assureUTF8 = false
/opt/splunk/etc/system/default/indexes.conf                  bucketRebuildMemoryHint = auto
/opt/splunk/etc/system/local/indexes.conf                    coldPath = $SPLUNK_DB/wineventlog/colddb
/opt/splunk/etc/system/default/indexes.conf                  coldPath.maxDataSizeMB = 0
/opt/splunk/etc/system/default/indexes.conf                  coldToFrozenDir =
/opt/splunk/etc/system/default/indexes.conf                  coldToFrozenScript =
/opt/splunk/etc/system/default/indexes.conf                  compressRawdata = true
/opt/splunk/etc/system/default/indexes.conf                  defaultDatabase = main
/opt/splunk/etc/system/default/indexes.conf                  enableDataIntegrityControl = false
/opt/splunk/etc/system/default/indexes.conf                  enableOnlineBucketRepair = true
0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-09-2016 05:13 PM

Hmmm, that is weird. When you run a search on the indexer using index=wineventlog, do you see data? Your screenshot suggests there should be events in it.
The only other thing I can think of is some weird non-printable control character in your inputs.conf.

0 Karma
Reply
Solved! Jump to solution

Epicism1
Explorer
‎02-09-2016 08:32 PM

Yes, security and application event logs are streaming in no problem. I'll try running dos2unix on the inputs.conf file...

0 Karma
Reply
Solved! Jump to solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-09-2016 09:43 PM

I think that is a great idea... Please report back.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...