Getting Data In
Highlighted

windows forwarder unable to add application,system and security event logs?

Contributor

Hi,

I've a forwarder(v4.1.3) installed on a W2K DC and has been configured to forward Application,System and security logs to our indexer.Everything was ok until I've discovered that the forwarder has actually stopped sending System and Security logs since few months back...The indexer continue to receive Application logs.

I went to check on the forwarder and it prompts that the license has expired!(I was using the forwarder license and in splunkweb it shows the license as forwarder as well).I've tried to re-include the forwarder license and restart splunk but it still prompts as expired.Thinking this may be problem,I upgraded the forwarder to v4.1.5 which is same as the indexer and setup the forwarder license again.

Now I tried to add the Application,System and Security event logs but it doesn't seem to work at all now. I don't receive any events on the indexer after that.

Highlighted

Re: windows forwarder unable to add application,system and security event logs?

Influencer

Hi Remy

What kind of an input is collecting this data? It could be that your checkpoint has become corrupt and you need to clean remove the problematic channels(App, Security, Event)

Are you seeing any errors in splunkd.log related to the input?

View solution in original post

Highlighted

Re: windows forwarder unable to add application,system and security event logs?

Contributor

Hi,

I've installed a forwarder on the DC,configured via splunkweb data inputs to collect App,security,system events.

I've tried removing the channels initially when I first realised the problem,but when I tried adding them back,splunk wasn't able to save it as the channels are not reflected in the local event collectors.I've also tried adding them manually in input.conf but it doesn't work.

So I went ahead to upgrade to v4.1.5 and was able to add them back and the 3 channels are reflected in the local event collectors now.However,it doesn't seem to be indexing any events

0 Karma
Highlighted

Re: windows forwarder unable to add application,system and security event logs?

Influencer

Sorry, I am still a bit unclear about which mechanism is being used. You are using local, or remote event log collection?

0 Karma
Highlighted

Re: windows forwarder unable to add application,system and security event logs?

Contributor

local event log collection.

0 Karma
Highlighted

Re: windows forwarder unable to add application,system and security event logs?

Contributor

I've also checked splunkd.log.There isn't seem to be any error.How can I completely remove the channels and add them back again?

0 Karma
Highlighted

Re: windows forwarder unable to add application,system and security event logs?

Influencer

You could do this by removing the checkpoint files. By default, they are in

C:\Program Files\Splunk\var\lib\splunk\persistentstorage\WinEventLog\

The files are SecurityCheckpoint, ApplicationCheckpoint, and System_Checkpoint. Stop splunk, rename them to .old and move them out of the way, then restart. If the checkpoint is corrupt, this should take care of the problem.

0 Karma
Highlighted

Re: windows forwarder unable to add application,system and security event logs?

Contributor

Hi,I've tried your suggestion and have started receiving events already.Although in splunkweb the 3 channels doesn't show,I guess it doesn't matter.Thanks.

0 Karma