Getting Data In

Why are Windows Event Logs from a Windows Server 2003 missing a value for the Message field for some EventCodes (628 and 644)?

Explorer

Some events (628 and 644) of a Windows 2003 are coming in with an empty Message field.

ex:

LogName=Security
SourceName=Security
EventCode=628
EventType=8
Type=Success Audit
ComputerName=server1
User=userx
Sid=S-1-5-21-1805228463-3643871152-3900399489-27398
SidType=1
Category=7
CategoryString=Account Management
RecordNumber=665178237
Message=

However, other events such as 680, 540, 538, 672, 836, 837 are logging correctly.

ex:

LogName=Security
SourceName=Security
EventCode=680
EventType=16
Type=Failure Audit
ComputerName=server1
User=SYSTEM
Sid=S-1-5-18
SidType=5
Category=9
CategoryString=Account Logon
RecordNumber=6651ff787
Message=Logon attempt by:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon account:  hosta$

Source Workstation: \\hosta

Error Code: 0xC0000199

It is normal?

0 Karma
1 Solution

Explorer

I managed to solve the problem.

I had to change the UF version 2.2 of splunk to 1.9 in Windows 2003.
After that the log text came complete.

View solution in original post

0 Karma

Explorer

I managed to solve the problem.

I had to change the UF version 2.2 of splunk to 1.9 in Windows 2003.
After that the log text came complete.

View solution in original post

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!