Getting Data In

WinEventLog:Security: Splunk Could Not Get The Description...

wiz561
Explorer

Hi!

I'm just starting out with Splunk and I'm having it index the WinEventLog:Security. When doing a simple search for account logon and logoffs, I get the "Splunk could not get the description...." I am using this as the search string.

source="WinEventLog:Security" EventCode=4624 OR EventCode=2625 OR EventCode=4634

Here is the results of the query.

--

1.  05/09/2012 07:45:54 AM
2.  LogName=Security
3.  SourceName=Microsoft-Windows-Eventlog
4.  EventCode=4624
5.  EventType=0
6.  Type=Information
7.  ComputerName=WIN-CCBON561AV9
8.  TaskCategory=None
9.  OpCode=Info
10. RecordNumber=1076005
11. Keywords=Audit Success
12. Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt.
13. 
14. FormatMessage error: the message resource is present but the message is not found in the string/message table
15. 
16. Got the following information from this event: 
17. 
18. WIN-CCBON561AV9$
19. WORKGROUP
20. SYSTEM
21. NT AUTHORITY
22. Advapi  
23. Negotiate
24. -
25. -
26. C:\Windows\System32\services.exe
27. -
28. -

I can't imagine that Splunk can't interpret a logon event from Windows, and I'm almost sure it's something I'm doing wrong. If anybody has any suggestions, that would be great.

Thanks!

Tags (2)

mship
Path Finder

Splunk doesn't go to the .dll to get this info...the windows event viewer does. Look at your windows event logs locally and I will bet you are getting the same message. If it is your security log you are probably missing the msaudite.dll file under system32 folder along with security subkey under the hklm\system\currentcontrolset\services\eventlog\security.

If it is in the app or system event log you are missing the registry hives for those events. You can just copy them over from a working machine.

0 Karma

Stefan_van_de_R
Explorer

If you have PowerShell enabled you can also make use of WQL and parse the desired fields of the event into a CSV file. Not a direct answer to your question but a good practise if you just need some events or fields.. Tell me if you need a WQL example.

0 Karma

wiz561
Explorer

I uninstalled and reinstalled Splunk 4.3.2, and it seems to still be happening.

What I did find out though is that it seems like the events on that it's happening on are noise, and nothing too serious. I'm wondering if it's Splunk saying that the event is junk and even though it's getting reported, it's one of the many ones Windows generates that are meaningless to most people.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

Splunk doesn't know what is or isn't meaningless, and doesn't attempt to make those judgements. It is simply telling you that it can't get the event description.

0 Karma

mship
Path Finder

Wiz - did you reinstall your receiver or forwarder? The receiver must be running the same (or later) version of Splunk as your forwarder. Also Splunk collects data I don't believe it makes any type of decision (unless you tell it to) on whats worthless or not especially since event 4624 is related to account logons.

0 Karma

jeff
Contributor

Would be nice to think so, but I was getting it from the Security Logs on my AD Domain Controllers some of the time. Cycling the SplunkForwarder service would (usually) stop this from happening until the next time the service cycled or the server rebooted. Downgraded all of the DCs to 4.3.1...

0 Karma

jeff
Contributor

This seems to be an issue with 4.3.2 and Windows 2008 WinEvent Logs. I updated all of my forwarders (universal and heavy) to 4.3.2 a few weeks ago and noticed later that I was seeing this error a lot on each of the Windows 2008 forwarders. See this entry. I have a support case open with Splunk but it isn't getting a lot of traction. I downgraded one heavy and one universal forwarder to 4.3.1 and the issue doesn't seem to occur...

reedmohn
Communicator

Anyone know when 4.3.3 is scheduled for release?

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

The problem is that Splunk can't get the information from the dll, so that information can't be reliably displayed by us. It could be from a corrupt dll, or that component is actually missing. Splunk doesn't know, what it does know is that it can't get the description, so it gives you a message about the event being incomplete.

mship
Path Finder

Can you provide more info...what version of windows is splunk running on? Are you trying to collect a local event log or remote? Using WMI or Windows TA app? Universal forwarders etc? I just ran this search on a Windows 2008 R2 Splunk server with no errors. I have seen this question before and some responses indicate corrupted .dll's.

0 Karma

wiz561
Explorer

Thanks for the information. I'll maybe try to reinstall splunk and see what happens.

It's running on Server 2008r2, the 64-bit version. I just configured it to collect the local Windows event logs; the Security, Application, and System logs. Nothing is getting forwarded from anywhere else. I had the Windows App running first, installed the FISMA app, removed the Windows App and replaced it with the Windows TA one. It's also the generic search when it produces it.

I'll post my results after the reinstall.

0 Karma

cphair
Builder

@mship, I see a similar problem on a Win7 machine running the universal forwarder. For this host, it only happens for one particular event code in the application log, so a corrupted DLL might be the reason. I don't have access to the machine itself at the moment, so I can't verify anything about the local log or the DLLs.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...