Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are we not receiving Windows event logs from our domain controller and getting error "Admin handler 'win-wmi-enum-eventlogs' not found"?

amunro
New Member
‎08-20-2015 01:40 AM

When setting up a Splunk forwarder for monitoring a Windows server, we receive performance metrics, but not Windows events. When I enter the application log's data input settings and ask it to look for logs on the server I am given the following error:

'win-wmi-enum-eventlogs': Admin handler 'win-wmi-enum-eventlogs' not found.

I suspect this is something related to my issue as the forwarder doesn't seem to be able to enumerate the event logs on the server and I am having trouble receiving logs from this server. Is this a known error or is this likely to be an issue with the Windows Server?

The forwarder is version 6.2.5 and is being run as the local system, the server is a domain controller and I've tried running it as system and as the domain administrator.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎08-20-2015 08:01 PM

What does the stanza for one of those inputs look like?

I don't have access to my DC at the moment, but I think the UF on the local system shouldn't be using WMI for this, but instead should have stanzas like the below in inputs.conf:

[WinEventLog://Application]
... stuff in here...

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎08-21-2015 06:54 AM

Shucks, easy answer didn't work. 🙂

On your DC, try
c:\program files\splunkuniversalforwarder\splunk\bin\splunk cmd btool --debug inputs list | clip
Then paste that into your favorite text editor. Obviously fix up your path as required.

Once you have that, search for a few things and see what it says. One would be to search for/find the stanza for your wineventlog://application, so search for that -
[WinEventLog://Application]
Maybe it could be useful to see what shows up if you search for wmi, too - that might need to be repeated a few times to find the right sections.

If you haven't read btool output before it can be a bit overwhelming at first, but it really is a bit more straightforward than it first looks. Here's docs for usage of btool. I haven't found anything great on how to read it, but really, it's not as hard as it looks if you give it a shot.

0 Karma
Reply

amunro
New Member
‎08-21-2015 07:25 AM

C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf [WinEventLog://Application]

The same shows up for all of the logs I want to monitor. Oddly enough the logs now seem to be pulled OK once I explicitly declare the root directory, but the logs are going into the wrong index; hitting 'wineventlog' instead of 'main' and meaning the search for the host doesn't show them. Still, I suspect that this is something I need to configure on the log server and not an issue with the client.

0 Karma
Reply

amunro
New Member
‎08-21-2015 07:05 AM

Apparently SPLUNK_HOME isn't set, which is odd because I've defined it as an environment variable so I'm guessing it's missing from one of the head-end config files, I'll get this fixed and read through the input as soon as I can, thanks for your help.

EDIT: SPLUNK_HOME isn't explicitly set but the default directory for it (one above .\etc) should be correct. In addition when I uncomment the explicit definition in splunk-launch.conf the reporting tool starts working.

0 Karma
Reply

amunro
New Member
‎08-21-2015 06:36 AM

Thanks for the reply.

I had a look in SPLUNKDIR\etc\apps\Splunk_TA_windows\local\input.conf and I found the following entries for the event logs:

[WinEventLog://Application]
disabled = 0

[WinEventLog://Security]
disabled = 0

[WinEventLog://System]
disabled = 0

This just seems to be a switch to toggle them on and off so is there anywhere else I should be looking for configuration? I notice the template file has far more options for each log but I also notice it doesn't have any source definition options.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...