i have configured a forwarder to send Windows event logs events to Splunk. It was working fine and sending events fully. Recently after a reboot, it has been sending only partial information. One particular field in event log events are not being sent. Can someone help to troubleshoot this?
Events before:
LogName=System
SourceName=PRIVMAN
EventCode=28695
EventType=4
Type=Information
ComputerName=DB068038.dmn1.fmr.com
User=a555345
Sid=S-1-5-21-1343024091-606747145-1801674531-1316052
SidType=1
TaskCategory=None
OpCode=None
RecordNumber=111027
Keywords=Classic
Message=PowerBroker for Windows modified the privileges of an ActiveX control installation.
Rule Type: ActiveX
Source URL: http://mw100hcam3.fmr.com
Control: dginslt.cab
CLSID/MIME: {fd023c9b-082c-43f3-ada0-604fd5a1694e}
Version: 2,4,0,1180
Process Type: Standard User
GPO Name: gpoWindows7DARE
GPO GUID: {3287D455-A4DA-451A-9BBE-026CBDB8E2BA}
Rule Name: ActiveX - https://*.fmr.com
Rule GUID: 6031d9cf-e301-496b-aab1-360b645a8e30
Events now:
LogName=System
SourceName=PRIVMAN
EventCode=28695
EventType=4
ComputerName=DB068038.dmn1.fmr.com
User=NOT_TRANSLATED
Sid=S-1-5-21-1343024091-606747145-1801674531-1316052
SidType=0
TaskCategory=None
OpCode=None
RecordNumber=111029
Keywords=None
Message=
Splunk is not sending the information after Message=
... View more