Getting Data In

Why are Windows Event Logs from a Windows Server 2003 missing a value for the Message field for some EventCodes (628 and 644)?

sergeimartao
Explorer

Some events (628 and 644) of a Windows 2003 are coming in with an empty Message field.

ex:

LogName=Security
SourceName=Security
EventCode=628
EventType=8
Type=Success Audit
ComputerName=server1
User=userx
Sid=S-1-5-21-1805228463-3643871152-3900399489-27398
SidType=1
Category=7
CategoryString=Account Management
RecordNumber=665178237
Message=

However, other events such as 680, 540, 538, 672, 836, 837 are logging correctly.

ex:

LogName=Security
SourceName=Security
EventCode=680
EventType=16
Type=Failure Audit
ComputerName=server1
User=SYSTEM
Sid=S-1-5-18
SidType=5
Category=9
CategoryString=Account Logon
RecordNumber=6651ff787
Message=Logon attempt by:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon account:  hosta$

Source Workstation: \\hosta

Error Code: 0xC0000199

It is normal?

0 Karma
1 Solution

sergeimartao
Explorer

I managed to solve the problem.

I had to change the UF version 2.2 of splunk to 1.9 in Windows 2003.
After that the log text came complete.

View solution in original post

0 Karma

sergeimartao
Explorer

I managed to solve the problem.

I had to change the UF version 2.2 of splunk to 1.9 in Windows 2003.
After that the log text came complete.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...