×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
kerr63
New Member
Member since: ‎04-15-2011
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-15-2011
Activity Feed
View All

Re: windows universal forwarder events not parsing...

by in Getting Data In
‎05-03-2011 08:21 AM
‎05-03-2011 08:21 AM
In the meantime, using another tool as a sender to the syslog "stream" also works. MS has a tool called LogParser which can be scripted and scheduled to read event logs and output to syslog, and the Snare Agent for Windows can also understand the event logs properly. The receiver/indexer accepts both of these just fine with proper event messages and descriptions. ... View more

Re: windows universal forwarder events not parsing...

by in Getting Data In
‎04-26-2011 08:20 AM
‎04-26-2011 08:20 AM
Splunk extracts the message field properly for the local event log. What part of splunk is doing that, and where could the input from the forwarder be directed to do that same lookup? If it's reading it from a DLL or other event code table, there could be a way to process the forwarded events in the same fashion. ... View more

windows universal forwarder events not parsing on ...

by in Getting Data In
‎04-26-2011 07:34 AM
‎04-26-2011 07:34 AM
Hello, Using Splunk 4.2 (96430) for both a Universal Forwarder and a regular/receiver installation, on Windows Server 2003 R2, both systems same version, service pack, etc. Forwarder is successfully sending to receiver, correctly monitoring selected log files. We want to monitor the Windows Event Log for DNS services, and it is correctly sending that data; however, at the receiver, it is not parsing the DNS Server messages, stating: "Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt." DNS Server is also installed on the receiving system, and monitoring the DNS Server event log properly parses the local DNS events. All other fields (except hostname and record number) are identical, so it recognizes that these are DNS events. How would one make the received (forwarded) DNS events parse to get the proper Message description just like the local DNS events? Both system have DNS server, same windows ver, etc. It seems even though Splunk is receiving the events properly, it won't parse the forwarded events. Thanks- J ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM