I'm just starting out with Splunk and I'm having it index the WinEventLog:Security. When doing a simple search for account logon and logoffs, I get the "Splunk could not get the description...." I am using this as the search string.
source="WinEventLog:Security" EventCode=4624 OR EventCode=2625 OR EventCode=4634
Here is the results of the query.
1. 05/09/2012 07:45:54 AM 2. LogName=Security 3. SourceName=Microsoft-Windows-Eventlog 4. EventCode=4624 5. EventType=0 6. Type=Information 7. ComputerName=WIN-CCBON561AV9 8. TaskCategory=None 9. OpCode=Info 10. RecordNumber=1076005 11. Keywords=Audit Success 12. Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt. 13. 14. FormatMessage error: the message resource is present but the message is not found in the string/message table 15. 16. Got the following information from this event: 17. 18. WIN-CCBON561AV9$ 19. WORKGROUP 20. SYSTEM 21. NT AUTHORITY 22. Advapi 23. Negotiate 24. - 25. - 26. C:\Windows\System32\services.exe 27. - 28. -
I can't imagine that Splunk can't interpret a logon event from Windows, and I'm almost sure it's something I'm doing wrong. If anybody has any suggestions, that would be great.
Splunk doesn't go to the .dll to get this info...the windows event viewer does. Look at your windows event logs locally and I will bet you are getting the same message. If it is your security log you are probably missing the msaudite.dll file under system32 folder along with security subkey under the hklm\system\currentcontrolset\services\eventlog\security.
If it is in the app or system event log you are missing the registry hives for those events. You can just copy them over from a working machine.
If you have PowerShell enabled you can also make use of WQL and parse the desired fields of the event into a CSV file. Not a direct answer to your question but a good practise if you just need some events or fields.. Tell me if you need a WQL example.
I uninstalled and reinstalled Splunk 4.3.2, and it seems to still be happening.
What I did find out though is that it seems like the events on that it's happening on are noise, and nothing too serious. I'm wondering if it's Splunk saying that the event is junk and even though it's getting reported, it's one of the many ones Windows generates that are meaningless to most people.
Splunk doesn't know what is or isn't meaningless, and doesn't attempt to make those judgements. It is simply telling you that it can't get the event description.
Wiz - did you reinstall your receiver or forwarder? The receiver must be running the same (or later) version of Splunk as your forwarder. Also Splunk collects data I don't believe it makes any type of decision (unless you tell it to) on whats worthless or not especially since event 4624 is related to account logons.
Would be nice to think so, but I was getting it from the Security Logs on my AD Domain Controllers some of the time. Cycling the SplunkForwarder service would (usually) stop this from happening until the next time the service cycled or the server rebooted. Downgraded all of the DCs to 4.3.1...
This seems to be an issue with 4.3.2 and Windows 2008 WinEvent Logs. I updated all of my forwarders (universal and heavy) to 4.3.2 a few weeks ago and noticed later that I was seeing this error a lot on each of the Windows 2008 forwarders. See this entry. I have a support case open with Splunk but it isn't getting a lot of traction. I downgraded one heavy and one universal forwarder to 4.3.1 and the issue doesn't seem to occur...
Anyone know when 4.3.3 is scheduled for release?
The problem is that Splunk can't get the information from the dll, so that information can't be reliably displayed by us. It could be from a corrupt dll, or that component is actually missing. Splunk doesn't know, what it does know is that it can't get the description, so it gives you a message about the event being incomplete.
Can you provide more info...what version of windows is splunk running on? Are you trying to collect a local event log or remote? Using WMI or Windows TA app? Universal forwarders etc? I just ran this search on a Windows 2008 R2 Splunk server with no errors. I have seen this question before and some responses indicate corrupted .dll's.
Thanks for the information. I'll maybe try to reinstall splunk and see what happens.
It's running on Server 2008r2, the 64-bit version. I just configured it to collect the local Windows event logs; the Security, Application, and System logs. Nothing is getting forwarded from anywhere else. I had the Windows App running first, installed the FISMA app, removed the Windows App and replaced it with the Windows TA one. It's also the generic search when it produces it.
I'll post my results after the reinstall.
@mship, I see a similar problem on a Win7 machine running the universal forwarder. For this host, it only happens for one particular event code in the application log, so a corrupted DLL might be the reason. I don't have access to the machine itself at the moment, so I can't verify anything about the local log or the DLLs.