Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to troubleshoot why I'm receiving incomplete Windows event logs after a reboot?

gnanaraja
New Member
‎02-03-2016 11:44 PM

i have configured a forwarder to send Windows event logs events to Splunk. It was working fine and sending events fully. Recently after a reboot, it has been sending only partial information. One particular field in event log events are not being sent. Can someone help to troubleshoot this?

Events before:

LogName=System
SourceName=PRIVMAN
EventCode=28695
EventType=4
Type=Information
ComputerName=DB068038.dmn1.fmr.com
User=a555345
Sid=S-1-5-21-1343024091-606747145-1801674531-1316052
SidType=1
TaskCategory=None
OpCode=None
RecordNumber=111027
Keywords=Classic
Message=PowerBroker for Windows modified the privileges of an ActiveX control installation.

Rule Type: ActiveX
Source URL: http://mw100hcam3.fmr.com
Control: dginslt.cab
CLSID/MIME: {fd023c9b-082c-43f3-ada0-604fd5a1694e}
Version: 2,4,0,1180
Process Type: Standard User
GPO Name: gpoWindows7DARE
GPO GUID: {3287D455-A4DA-451A-9BBE-026CBDB8E2BA}
Rule Name: ActiveX - https://*.fmr.com
Rule GUID: 6031d9cf-e301-496b-aab1-360b645a8e30

Events now:

LogName=System
SourceName=PRIVMAN
EventCode=28695
EventType=4
ComputerName=DB068038.dmn1.fmr.com
User=NOT_TRANSLATED
Sid=S-1-5-21-1343024091-606747145-1801674531-1316052
SidType=0
TaskCategory=None
OpCode=None
RecordNumber=111029
Keywords=None
Message=

Splunk is not sending the information after Message=

0 Karma
Reply

abhijitmishra87
Explorer
‎02-04-2016 04:03 PM

I somehow feel this is not a problem with logs not coming through, but has something to do with logs breaking at the wrong place. In your logs, look for the word "breaking". It's possible that the logs get broken at this place and it would probably be the next event or unable to find a timestamp, it is giving it a default timestamp and you would just have to do a little bit of finding.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top