Data Inputs > Event Log Collections > Permission E...

Installation

We had a Splunk Enterprise installation (9.2.0.1) on Windows Server 2019, and upgraded to Windows Server 2022 today.

Splunk is only set up for local event log collection; events forwarded from other workstations.

The Windows subscription & forwarded events are working, but Splunk isn't ingesting newer logs since the inplace upgrade to Server 2022.

I can't seem to access Splunk's Event Log Collection settings since the upgrade either, and am met with a "Permission error".

I have restarted the server fully. Am tempted to re-install Splunk as well.

Any ideas?

Edit:

Running with free Splunk Enterprise license (<500MB / day ingestion).

Service is run with separate domain user service account.

Only used to ingest local event logs that have been forwarded from other workstations.

Can't see any other configuration which has changed.

inputs.conf

[default]

host = <servername>

[WinEventLog://ForwardedEvents]

disabled = false

index = applocker

renderXml = true

blacklist = 111

Get Updates on the Splunk Community!

Meet Your New Mobile Hub Hello Splunk Community! Staying connected to your data—no matter where you are—is ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

Are you a member of the Splunk Community?