Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to troubleshoot why I'm receiving incomplete Windows event logs after a reboot?

gnanaraja
New Member
‎02-03-2016 11:44 PM

i have configured a forwarder to send Windows event logs events to Splunk. It was working fine and sending events fully. Recently after a reboot, it has been sending only partial information. One particular field in event log events are not being sent. Can someone help to troubleshoot this?

Events before:

LogName=System
SourceName=PRIVMAN
EventCode=28695
EventType=4
Type=Information
ComputerName=DB068038.dmn1.fmr.com
User=a555345
Sid=S-1-5-21-1343024091-606747145-1801674531-1316052
SidType=1
TaskCategory=None
OpCode=None
RecordNumber=111027
Keywords=Classic
Message=PowerBroker for Windows modified the privileges of an ActiveX control installation.

Rule Type: ActiveX
Source URL: http://mw100hcam3.fmr.com
Control: dginslt.cab
CLSID/MIME: {fd023c9b-082c-43f3-ada0-604fd5a1694e}
Version: 2,4,0,1180
Process Type: Standard User
GPO Name: gpoWindows7DARE
GPO GUID: {3287D455-A4DA-451A-9BBE-026CBDB8E2BA}
Rule Name: ActiveX - https://*.fmr.com
Rule GUID: 6031d9cf-e301-496b-aab1-360b645a8e30

Events now:

LogName=System
SourceName=PRIVMAN
EventCode=28695
EventType=4
ComputerName=DB068038.dmn1.fmr.com
User=NOT_TRANSLATED
Sid=S-1-5-21-1343024091-606747145-1801674531-1316052
SidType=0
TaskCategory=None
OpCode=None
RecordNumber=111029
Keywords=None
Message=

Splunk is not sending the information after Message=

0 Karma
Reply

abhijitmishra87
Explorer
‎02-04-2016 04:03 PM

I somehow feel this is not a problem with logs not coming through, but has something to do with logs breaking at the wrong place. In your logs, look for the word "breaking". It's possible that the logs get broken at this place and it would probably be the next event or unable to find a timestamp, it is giving it a default timestamp and you would just have to do a little bit of finding.

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...