We have a Windows Universal Forwader installed as service-user (svcSplunk) with read access to ALL eventlogs. (Windows 2008R2) We are getting all eventlogs except "Security" evlogs. We are struggling to find the reason for it. diags show three errors as below
- ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-winevtlog.exe" splunk-winevtlog - WinEventLogChannel::init: Init failed, unable to subscribe to Windows Event Log channel 'security': errorCode=5
- ERROR ExecProcessor - Couldn't start command "D:\SplunkUniversalForwarder\bin\splunk-admon.exe": The media is write protected.
- ERROR ExecProcessor - message from "D:\SplunkUniversalForwarder\bin\splunk-winevtlog.exe" splunk-winevtlog - WinEventLogChannel::init: Failed to bind to DC, dc_bind_time=12106 msec
I've tested the recommendations in below URL too, but it is NOT related to Security Softwares running:
https://answers.splunk.com/answers/248673/why-is-the-splunk-universal-forwarder-on-my-domain.html
any help would be much appreciated
============ update ============
PS: (the other options/test we tried already)
- Windows Application, system eventlogs are read and working correctly. Problem is ONLY with Wineventlog:Security
- With admin permissions everything works perfect including Security logs
- No Security softwares running
- Created an interactive "*test*" user with same level of permissions as *svcSplunk*. As "*test*" user, eventlogs are readable
↧