Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Failed to find Windows Event Log

g_paternicola
Path Finder
‎12-03-2021 05:56 AM

Hello

I'm trying to injest event from this Microsoft event viewer:

[WinEventLog://Microsoft-Windows-TerminalServices-ClientActiveXCore/Microsoft-Windows-TerminalServices-RDPClient/Operational]
disabled = 0
renderXml = 1
sourcetype = XmlWinEventLog
index = ad

 

My issue is, that the name of  the event log the whole path is and not just "Operational" like the others.

g_paternicola_0-1638539638450.png

 

Because of that I will get an error in Splunk:

ERROR ExecProcessor [5076 ExecProcessor] - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::configure: Failed to find Event Log with channel name='Microsoft-Windows-TerminalServices-ClientActiveXCore/Microsoft-Windows-TerminalServices-RDPClient/Operational'

 

Is there a way to escape the "/" before Operational?

Thank you very much in advice.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎12-20-2021 12:19 AM

Yes, your stanza name is too long. Loose the first part.

You can verify it with powershell

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view...

Check with what -LogName value you'll get results. It's way easier than blindly (re)configuring splunk inputs/

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-20-2021 12:13 AM

You need this value as channel name

Screenshot_20211220-091242_Client.jpg

0 Karma
Reply
Solved! Jump to solution

g_paternicola
Path Finder
‎12-20-2021 12:15 AM

I already have this in my stanza:

 

[WinEventLog://Microsoft-Windows-TerminalServices-ClientActiveXCore/Microsoft-Windows-TerminalServices-RDPClient/Operational]
disabled = 0
renderXml = 1
sourcetype = XmlWinEventLog
index = ad
whitelist3=1024

But I always going to get this error, even if I put the '\' escape before "Operational" or after

12-20-2021 09:08:21.416 +0100 ERROR ExecProcessor [21652 ExecProcessor] - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventMon::configure: Failed to find Event Log with channel name='Microsoft-Windows-TerminalServices-ClientActiveXCore/Microsoft-Windows-TerminalServices-RDPClient/Operational'

 

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎12-20-2021 12:19 AM

Yes, your stanza name is too long. Loose the first part.

You can verify it with powershell

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view...

Check with what -LogName value you'll get results. It's way easier than blindly (re)configuring splunk inputs/

0 Karma
Reply
Solved! Jump to solution

g_paternicola
Path Finder
‎12-20-2021 12:47 AM

this command was my solution:

Get-WinEvent -FilterHashTable @{ LogName = "Microsoft-Windows-TerminalServices-RDPClient/Operational"; ID = 1024 }

There is no "TerminalServices-ClientActiveXCore" in the PowerShell results. This also why Splunk told me all the time "failed to find ...." Thank you!

0 Karma
Reply
Solved! Jump to solution

g_paternicola
Path Finder
‎12-19-2021 11:38 PM

Is there anyone else that can help me, please?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-03-2021 08:55 AM

The escape character is '\'.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

g_paternicola
Path Finder
‎12-03-2021 08:57 AM

Already tried, but it didn't work.. 😞

 

0 Karma
Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...