Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are Windows event logs with MSSQLSERVER$AUDIT as source getting truncated and the message is empty?

gregory_cordier
Explorer
‎03-27-2018 04:53 AM

Hi,

We have an auditing setup which logs in Windows event logs (Forwarded Events) as "MSSQLSERVER$AUDIT" source.
they are well displayed in event viewer console, but the log is truncated and message is empty :

alt text

here the input file on windows server :
alt text

on the other side "Microsoft Windows Security auditing" events that are in "Forwarded Events" too are correctly sent and parsed in Splunk Indexer.

how come ?
where elsewhere do I have to check ?

Splunk UF is installed on Windows server with the Windows Events Collector

Thanks

Preview file
31 KB
Preview file
15 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gregory_cordier
Explorer
‎04-03-2018 06:30 AM

After searching and get helped from support, I tried the solution described in https://answers.splunk.com/answers/326943/why-is-windows-event-log-message-data-being-trunca.html

now logs are fully sent and parsed.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gregory_cordier
Explorer
‎04-03-2018 06:30 AM

After searching and get helped from support, I tried the solution described in https://answers.splunk.com/answers/326943/why-is-windows-event-log-message-data-being-trunca.html

now logs are fully sent and parsed.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-03-2018 07:14 AM

@gregory.cordier If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...