https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-m-receiving-incomplete-Windows-event/m-p/268769#M51585 <P>I somehow feel this is not a problem with logs not coming through, but has something to do with logs breaking at the wrong place. In your logs, look for the word "breaking". It's possible that the logs get broken at this place and it would probably be the next event or unable to find a timestamp, it is giving it a default timestamp and you would just have to do a little bit of finding.</P> Fri, 05 Feb 2016 00:03:57 GMT abhijitmishra87 2016-02-05T00:03:57Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-m-receiving-incomplete-Windows-event/m-p/268768#M51584 <P>i have configured a forwarder to send Windows event logs events to Splunk. It was working fine and sending events fully. Recently after a reboot, it has been sending only partial information. One particular field in event log events are not being sent. Can someone help to troubleshoot this?</P> <P><STRONG>Events before:</STRONG></P> <P>LogName=System<BR /> SourceName=PRIVMAN<BR /> EventCode=28695<BR /> EventType=4<BR /> Type=Information<BR /> ComputerName=DB068038.dmn1.fmr.com<BR /> User=a555345<BR /> Sid=S-1-5-21-1343024091-606747145-1801674531-1316052<BR /> SidType=1<BR /> TaskCategory=None<BR /> OpCode=None<BR /> RecordNumber=111027<BR /> Keywords=Classic<BR /> <STRONG>Message=PowerBroker for Windows modified the privileges of an ActiveX control installation.</STRONG></P> <P>Rule Type: ActiveX<BR /> Source URL: <A href="http://mw100hcam3.fmr.com">http://mw100hcam3.fmr.com</A><BR /> Control: dginslt.cab<BR /> CLSID/MIME: {fd023c9b-082c-43f3-ada0-604fd5a1694e}<BR /> Version: 2,4,0,1180<BR /> Process Type: Standard User<BR /> GPO Name: gpoWindows7DARE<BR /> GPO GUID: {3287D455-A4DA-451A-9BBE-026CBDB8E2BA}<BR /> Rule Name: ActiveX - <A href="https://*.fmr.com" target="test_blank">https://*.fmr.com</A><BR /> Rule GUID: 6031d9cf-e301-496b-aab1-360b645a8e30</P> <P><STRONG>Events now:</STRONG></P> <P>LogName=System<BR /> SourceName=PRIVMAN<BR /> EventCode=28695<BR /> EventType=4<BR /> ComputerName=DB068038.dmn1.fmr.com<BR /> User=NOT_TRANSLATED<BR /> Sid=S-1-5-21-1343024091-606747145-1801674531-1316052<BR /> SidType=0<BR /> TaskCategory=None<BR /> OpCode=None<BR /> RecordNumber=111029<BR /> Keywords=None<BR /> <STRONG>Message=</STRONG></P> <P>Splunk is not sending the information after <STRONG>Message=</STRONG></P> Thu, 04 Feb 2016 07:44:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-m-receiving-incomplete-Windows-event/m-p/268768#M51584 gnanaraja 2016-02-04T07:44:55Z https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-m-receiving-incomplete-Windows-event/m-p/268769#M51585 <P>I somehow feel this is not a problem with logs not coming through, but has something to do with logs breaking at the wrong place. In your logs, look for the word "breaking". It's possible that the logs get broken at this place and it would probably be the next event or unable to find a timestamp, it is giving it a default timestamp and you would just have to do a little bit of finding.</P> Fri, 05 Feb 2016 00:03:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-I-m-receiving-incomplete-Windows-event/m-p/268769#M51585 abhijitmishra87 2016-02-05T00:03:57Z