Solved: Windows event log collection randomly stops

abonuccelli_spl · ‎01-13-2014

I am collecting WinEventLog (not using WMI) data using a Universal Forwarder, Heavy Forwarder or full Splunk Instance, I'm using versions prior to 5.0.5, and data collection randomly stops; the host I'm collecting data from is surely not idle and generating a fair amount of WinEvents, I am not using WMI. I can see _internal/audit data coming in. A restart fixes the problem, however this happens again at some point.

I have enabled DEBUG and seeing this after the issue happens...

DEBUG WinEventLogInputProcessor - main-thread: Waiting for Windows Event Log with timeout=10000.
DEBUG WinEventLogInputProcessor - main-thread: Waiting for Windows Event Log with timeout=10000.
DEBUG WinEventLogInputProcessor - main-thread: Waiting for Windows Event Log with timeout=10000.
DEBUG WinEventLogInputProcessor - main-thread: Waiting for Windows Event Log with timeout=10000.

abonuccelli_spl · ‎01-13-2014

There is a bug (SPL-64915 - WinEventLog InputChannel stop collecting data due to constant timeout.)
This is fixed in version 5.0.5 and greater.

View solution in original post

abonuccelli_spl · ‎01-13-2014

There is a bug (SPL-64915 - WinEventLog InputChannel stop collecting data due to constant timeout.)
This is fixed in version 5.0.5 and greater.

Windows event log collection randomly stops

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024