topic Re: Why is Windows event log message data being truncated and only the first 2 lines are getting forwarded? in Getting Data In

Why is Windows event log message data being truncated and only the first 2 lines are getting forwarded?

andrefriedmann — Tue, 10 Nov 2015 16:17:18 GMT

I am having a strange issue where some of the message or 'EventData' is missing from the forwarded Windows event logs.

The majority of the event gets forwarded correctly, however, the message only gets the first 2 lines, then chops the rest off!

If I use renderXml = 1 in the inputs, then it works and I can see the full event as I do in Windows. However, I really would rather not have the events forwarded in the XML format!

Any ideas?

Thanks

Re: Why is Windows event log message data being truncated and only the first 2 lines are getting forwarded?

wkupersa — Wed, 13 Apr 2016 15:55:25 GMT

Having same problem

Re: Why is Windows event log message data being truncated and only the first 2 lines are getting forwarded?

javiergn — Thu, 14 Apr 2016 12:32:10 GMT

If you search in your internal logs for truncated lines, can you see anything there at all?

index=_internal truncated

Are all your events getting the message field truncated? If not, do those events have anything in common?
Can you run btool to identify which settings are applying and if other apps are conflicting?

Re: Why is Windows event log message data being truncated and only the first 2 lines are getting forwarded?

wkupersa — Tue, 29 Sep 2020 09:26:45 GMT

In my case, I see all sorts of notifications regarding things being truncated in the _internal index and splunkd.log, but nothing talking about the ForwardedEvents file that I am concerned about.

Btools only shows me the config from inputs.conf
[WinEventLog://ForwardedEvents]
current_only = 0
disabled = 0
evt_dc_name =
evt_dns_name =
index = FEvents

The default section has nothing defined.

Re: Why is Windows event log message data being truncated and only the first 2 lines are getting forwarded?

ryandg — Mon, 18 Apr 2016 16:15:11 GMT

you are sending this over TCP right and not UDP? The fact that it chops it off at 2 lines to me doesn't look like a truncation issue on the props and transforms but more like the data is getting split into small segments like a UDP connection would do for Windows events.

Re: Why is Windows event log message data being truncated and only the first 2 lines are getting forwarded?

wkupersa — Mon, 18 Apr 2016 18:01:32 GMT

Thanks for the response. I should have been more clear. I my case, the log message is being truncated after 14 lines. All my log entries end with "message ="

I am using tcp.

I've turned on DEBUG for TailingProcessor, WatchedFile, TailReader, and the WinEventLog options on the forwarder and I am reviewing the splunkd.log but so far, I haven't seen anything useful.

Re: Why is Windows event log message data being truncated and only the first 2 lines are getting forwarded?

ryandg — Mon, 18 Apr 2016 18:03:52 GMT

Is the forwarder sending straight to the indexer tier or is it going to a heavy forwarder?

Re: Why is Windows event log message data being truncated and only the first 2 lines are getting forwarded?

wkupersa — Mon, 18 Apr 2016 19:06:41 GMT

Thank you for all the help. I finally figured out what was going on and it was on the windows side. The box in question is an event collector. Apparently I needed to modify the format of the forwarded events with the following statement

wecutil ss "subscription Name" /cf:Events

where "wecutil es" will list all the subscription names

Re: Why is Windows event log message data being truncated and only the first 2 lines are getting forwarded?

wkupersa — Mon, 18 Apr 2016 19:58:47 GMT

More on this. Making the change above allowed me to see what was going on and get the rest of the event. What I saw was that it was dropping at "message=" because the tool that I was logging wasn't installed on my event collector. When I installed that tool, I ended up having to change the event format back to RenderedText (wecutil ss "subscription name" /cf:RenderedText" in order to get everything to parse correctly. Quite the adventure.

Re: Why is Windows event log message data being truncated and only the first 2 lines are getting forwarded?

ryandg — Tue, 19 Apr 2016 15:28:04 GMT

That's an interesting nuance with your Windows Event Logs, thanks for sharing the fix!