Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are we not receiving Windows event logs from our domain controller and getting error "Admin handler 'win-wmi-enum-eventlogs' not found"?

amunro
New Member
‎08-20-2015 01:40 AM

When setting up a Splunk forwarder for monitoring a Windows server, we receive performance metrics, but not Windows events. When I enter the application log's data input settings and ask it to look for logs on the server I am given the following error:

'win-wmi-enum-eventlogs': Admin handler 'win-wmi-enum-eventlogs' not found.

I suspect this is something related to my issue as the forwarder doesn't seem to be able to enumerate the event logs on the server and I am having trouble receiving logs from this server. Is this a known error or is this likely to be an issue with the Windows Server?

The forwarder is version 6.2.5 and is being run as the local system, the server is a domain controller and I've tried running it as system and as the domain administrator.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎08-20-2015 08:01 PM

What does the stanza for one of those inputs look like?

I don't have access to my DC at the moment, but I think the UF on the local system shouldn't be using WMI for this, but instead should have stanzas like the below in inputs.conf:

[WinEventLog://Application]
... stuff in here...

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎08-21-2015 06:54 AM

Shucks, easy answer didn't work. 🙂

On your DC, try
c:\program files\splunkuniversalforwarder\splunk\bin\splunk cmd btool --debug inputs list | clip
Then paste that into your favorite text editor. Obviously fix up your path as required.

Once you have that, search for a few things and see what it says. One would be to search for/find the stanza for your wineventlog://application, so search for that -
[WinEventLog://Application]
Maybe it could be useful to see what shows up if you search for wmi, too - that might need to be repeated a few times to find the right sections.

If you haven't read btool output before it can be a bit overwhelming at first, but it really is a bit more straightforward than it first looks. Here's docs for usage of btool. I haven't found anything great on how to read it, but really, it's not as hard as it looks if you give it a shot.

0 Karma
Reply

amunro
New Member
‎08-21-2015 07:25 AM

C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf [WinEventLog://Application]

The same shows up for all of the logs I want to monitor. Oddly enough the logs now seem to be pulled OK once I explicitly declare the root directory, but the logs are going into the wrong index; hitting 'wineventlog' instead of 'main' and meaning the search for the host doesn't show them. Still, I suspect that this is something I need to configure on the log server and not an issue with the client.

0 Karma
Reply

amunro
New Member
‎08-21-2015 07:05 AM

Apparently SPLUNK_HOME isn't set, which is odd because I've defined it as an environment variable so I'm guessing it's missing from one of the head-end config files, I'll get this fixed and read through the input as soon as I can, thanks for your help.

EDIT: SPLUNK_HOME isn't explicitly set but the default directory for it (one above .\etc) should be correct. In addition when I uncomment the explicit definition in splunk-launch.conf the reporting tool starts working.

0 Karma
Reply

amunro
New Member
‎08-21-2015 06:36 AM

Thanks for the reply.

I had a look in SPLUNKDIR\etc\apps\Splunk_TA_windows\local\input.conf and I found the following entries for the event logs:

[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0

This just seems to be a switch to toggle them on and off so is there anywhere else I should be looking for configuration? I notice the template file has far more options for each log but I also notice it doesn't have any source definition options.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...