Troubleshoot Windows event log collection
This topic discusses solutions to problems encountered when attempting to get Windows event log data into Splunk.
Problems with collection and indexing of Windows event logs generally fall into two categories:
- Event logs are not collected from the server. This is usually due to either a local configuration problem or, in the case of remote event log collection, a network, permissions, or authentication issue.
- Event logs are collected from the server, but information within the event log is either missing or incorrect. This is usually due to problems associated with a particular event log channel, or because of the methods used to collect data from those channels.
Troubleshooting issues with event logs collected locally
When you have problems getting data into your local Splunk instance, try these tips to fix the problem:
- Make sure that the desired event log channels are selected in Splunk Web or properly configured in inputs.conf.
- Make sure to select fewer than 64 event log channels per event log input.
- Make sure that you are not attempting to index exported event logs that are incompatible with the indexing system (for example, attempting to index event logs exported from a Windows Server 2008 computer on a Windows XP computer will result in missing log data).
- Make sure that, if you are monitoring non-standard event log channels, that you have the appropriate dynamic linked libraries (DLLs) that are associated with that event log channel. This is particularly important when indexing exported log files from a different computer.
Troubleshooting issues with event logs collected remotely
When you experience issues getting event logs from remote Windows servers, try these solutions to fix the problem:
- Make sure that your Splunk user is configured correctly for WMI.
- Make sure that your Splunk user is valid, and does not have an expired password.
- Make sure that the Event Log service is running on both the source and target machines.
- Make sure that your Active Directory (AD) is functioning correctly.
- Make sure that your computers are configured to allow WMI data between them.
- Make sure that your event logs are properly configured for remote access.
For more information
See the Admin Manual for information on getting started for Windows admins.
What do I do with buckets?
Common issues with Splunk and WMI
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2