Getting Data In

Why are Windows Event Logs from a Windows Server 2003 missing a value for the Message field for some EventCodes (628 and 644)?

Explorer

Some events (628 and 644) of a Windows 2003 are coming in with an empty Message field.

ex:

LogName=Security
SourceName=Security
EventCode=628
EventType=8
Type=Success Audit
ComputerName=server1
User=userx
Sid=S-1-5-21-1805228463-3643871152-3900399489-27398
SidType=1
Category=7
CategoryString=Account Management
RecordNumber=665178237
Message=

However, other events such as 680, 540, 538, 672, 836, 837 are logging correctly.

ex:

LogName=Security
SourceName=Security
EventCode=680
EventType=16
Type=Failure Audit
ComputerName=server1
User=SYSTEM
Sid=S-1-5-18
SidType=5
Category=9
CategoryString=Account Logon
RecordNumber=6651ff787
Message=Logon attempt by:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon account:  hosta$

Source Workstation: \\hosta

Error Code: 0xC0000199

It is normal?

0 Karma
1 Solution

Explorer

I managed to solve the problem.

I had to change the UF version 2.2 of splunk to 1.9 in Windows 2003.
After that the log text came complete.

View solution in original post

0 Karma

Explorer

I managed to solve the problem.

I had to change the UF version 2.2 of splunk to 1.9 in Windows 2003.
After that the log text came complete.

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!