How to troubleshoot why I'm receiving incomplete W...

gnanaraja · ‎02-03-2016

i have configured a forwarder to send Windows event logs events to Splunk. It was working fine and sending events fully. Recently after a reboot, it has been sending only partial information. One particular field in event log events are not being sent. Can someone help to troubleshoot this?

Events before:

LogName=System
SourceName=PRIVMAN
EventCode=28695
EventType=4
Type=Information
ComputerName=DB068038.dmn1.fmr.com
User=a555345
Sid=S-1-5-21-1343024091-606747145-1801674531-1316052
SidType=1
TaskCategory=None
OpCode=None
RecordNumber=111027
Keywords=Classic
Message=PowerBroker for Windows modified the privileges of an ActiveX control installation.

Rule Type: ActiveX
Source URL: http://mw100hcam3.fmr.com
Control: dginslt.cab
CLSID/MIME: {fd023c9b-082c-43f3-ada0-604fd5a1694e}
Version: 2,4,0,1180
Process Type: Standard User
GPO Name: gpoWindows7DARE
GPO GUID: {3287D455-A4DA-451A-9BBE-026CBDB8E2BA}
Rule Name: ActiveX - https://*.fmr.com
Rule GUID: 6031d9cf-e301-496b-aab1-360b645a8e30

Events now:

LogName=System
SourceName=PRIVMAN
EventCode=28695
EventType=4
ComputerName=DB068038.dmn1.fmr.com
User=NOT_TRANSLATED
Sid=S-1-5-21-1343024091-606747145-1801674531-1316052
SidType=0
TaskCategory=None
OpCode=None
RecordNumber=111029
Keywords=None
Message=

Splunk is not sending the information after Message=

abhijitmishra87 · ‎02-04-2016

I somehow feel this is not a problem with logs not coming through, but has something to do with logs breaking at the wrong place. In your logs, look for the word "breaking". It's possible that the logs get broken at this place and it would probably be the next event or unable to find a timestamp, it is giving it a default timestamp and you would just have to do a little bit of finding.

How to troubleshoot why I'm receiving incomplete Windows event logs after a reboot?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life