Getting Data In

Why are Windows Event Logs from a Windows Server 2003 missing a value for the Message field for some EventCodes (628 and 644)?

sergeimartao
Explorer

Some events (628 and 644) of a Windows 2003 are coming in with an empty Message field.

ex:

LogName=Security
SourceName=Security
EventCode=628
EventType=8
Type=Success Audit
ComputerName=server1
User=userx
Sid=S-1-5-21-1805228463-3643871152-3900399489-27398
SidType=1
Category=7
CategoryString=Account Management
RecordNumber=665178237
Message=

However, other events such as 680, 540, 538, 672, 836, 837 are logging correctly.

ex:

LogName=Security
SourceName=Security
EventCode=680
EventType=16
Type=Failure Audit
ComputerName=server1
User=SYSTEM
Sid=S-1-5-18
SidType=5
Category=9
CategoryString=Account Logon
RecordNumber=6651ff787
Message=Logon attempt by:   MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon account:  hosta$

Source Workstation: \\hosta

Error Code: 0xC0000199

It is normal?

0 Karma
1 Solution

sergeimartao
Explorer

I managed to solve the problem.

I had to change the UF version 2.2 of splunk to 1.9 in Windows 2003.
After that the log text came complete.

View solution in original post

0 Karma

sergeimartao
Explorer

I managed to solve the problem.

I had to change the UF version 2.2 of splunk to 1.9 in Windows 2003.
After that the log text came complete.

0 Karma
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...