Security

splunk-winhostmon.exe gets "access is denied"

MikaJustasACN
Path Finder

Hi All, having an issue with splunk winhostinfo input. All works fine and then randomly the following errors kick in: ERROR ExecProcessor - Couldn't start command ""c:\Program Files\SplunkUniversalForwarder\bin\splunk-winhostinfo.exe"": Access is denied. After the error, it will not even try it again, like it is locked for good. Running 6.6.4 UF. Any idea? Even if it fails, I would expect it to retry on the next scheduled time. Now the only solution is to restart UF.

Tags (1)
0 Karma

ccl0utier
Splunk Employee
Splunk Employee

I assume you've already checked things like Antivirus & Firewalling?

Reading elsewhere it would seem the newer versions (6.6.7+ of the UF) have a fix to restart the winhostmon.exe based input after such a failure, so your solution would likely be to upgrade your UFs.

0 Karma

MikaJustasACN
Path Finder

I have not seen anywhere documented about 6.6.7+, at least in fixed issues it does not exist. I read somewhere that people had issues with version 5.x. Do you have source of where you found this?

0 Karma

ccl0utier
Splunk Employee
Splunk Employee

This is mentioned by a colleague here:

https://answers.splunk.com/answers/716685/splunk-universal-forwarder-suddenly-stop-receiving.html

I've also checked internally, and this issue was reported as SPL-155042and might have had to do with Symantec Endpoint protection blocking the process. If you use that, it might be worth disabling it via a rule to whitelist the UF input executables. It was confirmed that upgrading to the versions listed below fixed the issue.

The fix to restart the various Windows inputs on a UF was SPL-144368, included in versions 6.5.8+, 6.6.7+. That should also be in any 7.x versions.

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...