Splunk® Enterprise

Troubleshooting Manual

Download manual as PDF

Troubleshooting Windows event log collection

This topic discusses solutions to problems encountered when attempting to get Windows event log data into Splunk.

Problems with collection and indexing of Windows event logs generally fall into two categories:

  • Event logs are not collected from the server. This is usually due to either a local configuration problem or, in the case of remote event log collection, a network, permissions, or authentication issue.
  • Event logs are collected from the server, but information within the event log is either missing or incorrect. This is usually due to problems associated with a particular event log channel, or because of the methods used to collect data from those channels.

Troubleshooting issues with event logs collected locally

When you have problems getting data into your local Splunk instance, try these tips to fix the problem:

  • Make sure that the desired event log channels are selected in Splunk Web or properly configured in inputs.conf.
  • Make sure to select fewer than 64 event log channels per event log input.
  • Make sure that you are not attempting to index exported event logs that are incompatible with the indexing system (for example, attempting to index event logs exported from a Windows Server 2008 computer on a Windows XP computer will result in missing log data).
  • Make sure that, if you are monitoring non-standard event log channels, that you have the appropriate dynamic linked libraries (DLLs) that are associated with that event log channel. This is particularly important when indexing exported log files from a different computer.

Troubleshooting issues with event logs collected remotely

When you experience issues getting event logs from remote Windows servers, try these solutions to fix the problem:

  • Make sure that your Splunk user is configured correctly for WMI.
  • Make sure that your Splunk user is valid, and does not have an expired password.
  • Make sure that the Event Log service is running on both the source and target machines.
  • Make sure that your Active Directory (AD) is functioning correctly.
  • Make sure that your computers are configured to allow WMI data between them.
  • Make sure that your event logs are properly configured for remote access.

For more information

See the Admin Manual for information on getting started for Windows admins.

Common issues with Splunk and WMI
I need advanced help troubleshooting Splunk for Windows

This documentation applies to the following versions of Splunk: 4.2.3, 4.2.4, 4.2.5, 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.3.0, 6.3.1 View the Article History for its revisions.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole
Feedback you enter here will be delivered to the documentation team

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters