Forums: SplunkAdministration: Windows 2008 Event Descriptions not displayed

Somehow i can't see the event descriptions on Splunk from Windows 2008 servers:

10/14/09 03:56:06 PM
LogName=Security
SourceName=Microsoft-Windows-Security-Auditing
EventCode=5156
EventType=0
ComputerName=NT150.my.domain
TaskCategory=None
OpCode=None
RecordNumber=6989
Keywords=None
Message=The description for Event ID 5156 from source Microsoft-Windows-Security-Auditing cannot be found.
Either the component that raises this event is not installed on your local computer or the installation is corrupted.
You can install or repair the component on the local computer.

System %%14593 172.31.6.150 8 172.31.4.16 0 %%14611

Anyone an idea?

This message usually occurs when the dll containing the event description is missing.

Hmm i tried to search online for it, but somehow cant seem to find anything about this, is this a Splunk problem or Windows problem? If i look on both machines (both running Windows 2008 Server) in the event viewer i can see the event description, only Splunk cant see them..

Any idea where to look?

It is a product of the way the Event Log works. Other users have had the same problem:

http://www.splunk.com/support/forum:SplunkAdministration/2932

Here is something I found via google:

http://www.eventlogblog.com/blog/2008/04/event-log-message-files-the-de.html

Hi Araitz,

Just tried a few things:
http://www.splunk.com/support/forum:SplunkAdministration/2886 (registrey was indeed wrong) after reboot of the server same problem.

I installed a new Splunk instrance on a new server with domain administrator rights and local admin (maybe it was a permissions issue) but problem stays the same. Even the local event collection shows the same issue.

The strange thing is in the Windows Event Viewer the information does show up..

Anyone else got the same issue on Windows 2008? Or anyone can explain how they installed Splunk on Windows 2008?

anyone?

Hi everyone.

I was able to track down the problem related to this issue and fix it.
The fix will go out with the next maintenance release of Splunk 4.0, did not make it in 4.0.6

The issue was related to how locale was set when opening a Windows event log publisher for reading its meta-data. Normally the locale value is set to user default, "LOCALE_USER_DEFAULT", which sets the LANGID to user default also. On some system this was not enough. Down the line when trying to format the message description of the event, it was complaining that it could find the language resource id.

Instead now when opening the Windows event log publisher, the local is set to zero, forcing the API to look deeper for the LANGID:

From MSDN docs:
....

If you pass in zero, FormatMessage looks for a message for LANGIDs in the following order:

1. Language neutral
2. Thread LANGID, based on the thread's locale value
3. User default LANGID, based on the user's default locale value
4. System default LANGID, based on the system default locale value
5. US English
.....

This seems to have fixed the problem.

Cheers,

Ledio Ago
Lead Software Engineer, Splunk, Inc.

Thank you ledio!!!

This was really becoming an issue here, thank you for the solution!

Where is the fix for this? Is it with 4.0.8? I see this error on some machines.

I'm having the same issue with 4.0.9, so it's apparently not fixed yet.