Splunk Enterprise

Why my windows splunk UF agent is failing frequently

Hemnaath
Motivator

Hi All,

Currently one of the windows user contacted us and informed  that he could notice that Splunk UF agent is failing frequently in his machine.

When investigated the issue, we could see the following error details in Splunk _internal logs. 

Component= ExecProcessor
=========================
01-17-2022 09:22:11.436 +0000 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" ERROR splunk-winevtlog - WinEventLogChannel::~WinEventLogChannel: Failed to checkpoint for channel='Windows PowerShell'
01-17-2022 09:22:11.436 +0000 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" ERROR splunk-winevtlog - WinEventLogChannel::saveBookMark: Failed to update Windows Event Log bookmark, channel='Windows PowerShell
01-17-2022 09:22:11.436 +0000 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" ERROR splunk-winevtlog - WinEventLogChannel::~WinEventLogChannel: Failed to checkpoint for channel='Security'

component=AuthenticationManagerSplunk
=========================================
01-17-2022 09:22:19.839 +0000 ERROR AuthenticationManagerSplunk - Either password or seed file not found! No users configured!


component=Metrics
====================
01-17-2022 09:22:20.245 +0000 ERROR Metrics - Metric with name thruput:idxSummary already registered


component=TcpOutputFd
======================
01-17-2022 04:45:00.175 +0000 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.

component=PipelineComponent
=============================
01-17-2022 05:21:48.213 +0000 ERROR PipelineComponent - Monotonic time source didn't increase; is it stuck?

component=FileClassifierManager
==================================
01-17-2022 09:22:23.780 +0000 WARN FileClassifierManager - The file 'C:\Program Files\SplunkUniversalForwarder\var\log\splunk\C__Program Files_SplunkUniversalForwarder_bin_splunk-winevtlog_exe_crash-2021-08-13-08-22-30.dmp' is invalid. Reason: binary

component=TailReader
==========================

01-17-2022 09:22:23.780 +0000 INFO TailReader - Ignoring file 'C:\Program Files\SplunkUniversalForwarder\var\log\splunk\C__Program Files_SplunkUniversalForwarder_bin_splunk-winevtlog_exe_crash-2021-08-13-08-22-30.dmp' due to: binary

component=WatchedFile
==========================

01-17-2022 09:22:23.498 +0000 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\C__Program Files_SplunkUniversalForwarder_bin_splunk-winevtlog_exe_crash-2021-10-01-08-22-12.log'.

 

I have checked the truncate value and found all are within the control limit except the below sourcetype 

Default Value is set to 10000 

WinEventLog:Microsoft-Windows-PowerShell/Operational21132

 

Splunk Agent version is 7.0 

Splunk Enterprise indexer version is 8.2.2 

Please guide me what kind of troubleshooting steps needs to taken in-order to resolve this issue.

 

 

 

Labels (1)
Tags (1)
0 Karma

martinborjesson
Explorer

Hi! Im having the same issue. Did you get it resolved?

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...