Some events (628 and 644) of a Windows 2003 are coming in with an empty Message field.
ex:
LogName=Security
SourceName=Security
EventCode=628
EventType=8
Type=Success Audit
ComputerName=server1
User=userx
Sid=S-1-5-21-1805228463-3643871152-3900399489-27398
SidType=1
Category=7
CategoryString=Account Management
RecordNumber=665178237
Message=
However, other events such as 680, 540, 538, 672, 836, 837 are logging correctly.
ex:
LogName=Security
SourceName=Security
EventCode=680
EventType=16
Type=Failure Audit
ComputerName=server1
User=SYSTEM
Sid=S-1-5-18
SidType=5
Category=9
CategoryString=Account Logon
RecordNumber=6651ff787
Message=Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: hosta$
Source Workstation: \\hosta
Error Code: 0xC0000199
It is normal?
I managed to solve the problem.
I had to change the UF version 2.2 of splunk to 1.9 in Windows 2003.
After that the log text came complete.
I managed to solve the problem.
I had to change the UF version 2.2 of splunk to 1.9 in Windows 2003.
After that the log text came complete.