Getting Data In

"Splunk could not get the description for this event" - SplunkUniversalForwarders, versions 4.2 thru 5.0.1

rgcox1
Communicator

I am getting a high incidence rate of "Splunk could not get the description for this event."
All forwarders are SplunkUniversalForwarders, versions 4.2 thru 5.0.1.
Yesterday I got these results from my Linux 4.3.2 indexer:

                                Servers with
Splunk Universal  Servers with  "Splunk Could   
Forwarder Ver.    WinEvents OK  not get desc"  Total
   4.2                 27           21           48
   4.2.2                4            2            6
   4.3.1                1            -            1
   4.3.2                4            8           12
   5.0.1              172           40          212
Total                 208           71          279

Since the results were so scattered among the forwarder versions, I upgraded the indexer to 5.0.2.

As the indexer is a Linux box, and I know the event descriptions are extracted from the DLL’s on the clients, I really didn’t expect to see a change. However, since the change I now have 151 servers with “could not get” — over twice what I had yesterday before upgrading the indexer. Now over 75% of my windows events contain “Splunk could not get the description for this event.”

The majority of the events are from the security logs, but there is also a significant number of events from the system and application event logs.

Descriptions are present when viewed via event viewer on servers in most cases. In a few cases applications do not put descriptions into the application log.

A spotcheck of some of the affected servers shows that msaudite.dll file and the security subkey under hklm\system\currentcontrolset\services\eventlog\security are present.

Operating systems are also a mix — 78 of the effected machines are Server 2008, the rest 2003.

Any help would be greatly appreciated.

Tags (1)
0 Karma

AaronMoorcroft
Communicator

I had this same issue, it came down to being the version of the forwarder 4.3.2

4.3.2 has a known bug and can cause this issue, to resolve this I had to upgrade all my forwarders from this version to 5.0.1

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...