I was leaning towards this being a config file issue as well.
[monitor://D:\Bit9\LogFiles\*.bt9]
disabled = false
followTail = 0
index = bit9_test
Here's an example of an event:
{ [-]
ABId:
ABState:
BanName:
Bit9Server: <redacted>
CLVersion:
EventParam1: 381
EventParam2: Dec 22 2015 12:00AM
EventParam3:
EventSubType: Old events were deleted
EventSubTypeId: 107
EventType: Server Management
EventTypeId: 0
FileHash:
FileHashType:
FileName:
FileThreat:
FileTrust:
HostIP:
HostId:
HostName: System
IndicatorName:
InstallerHash:
InstallerHashType:
LocStringId: 247
Message: Deleting 381 events older than Dec 22 2015 12:00AM.
MessageTime: 1/19/2016 8:00:51 AM
PathName:
Platform:
Policy:
PolicyId:
Priority: Notice
ProcessFileName:
ProcessHash:
ProcessHashType:
ProcessKey:
ProcessPathName:
ProcessThreat:
ProcessTrust:
ProcessUsageCounter:
RootName:
RuleName:
RuleType:
Timestamp: 1/19/2016 8:00:51 AM
UpdaterName:
UsageCounter:
UserName: System
UserSid: 2
}
Same thing in raw text:
{ "Timestamp": "1/19/2016 8:00:51 AM", "MessageTime": "1/19/2016 8:00:51 AM", "Bit9Server": "<redacted>", "EventType": "Server Management", "EventSubType": "Old events were deleted", "EventTypeId": "0", "EventSubTypeId": "107", "Message": "Deleting 381 events older than Dec 22 2015 12:00AM.", "HostName": "System", "PathName": "", "FileName": "", "ProcessPathName": "", "ProcessFileName": "", "FileHash": "", "FileHashType": "", "InstallerHash": "", "InstallerHashType": "", "HostIP": "", "Policy": "", "Platform": "", "RuleName": "", "BanName": "", "UpdaterName": "", "Priority": "Notice", "UserName": "System", "ProcessHash": "", "ProcessHashType": "", "RootName": "", "RuleType": "", "FileTrust": "", "FileThreat": "", "UsageCounter": "", "ProcessTrust": "", "ProcessThreat": "", "ProcessUsageCounter": "", "CLVersion": "", "EventParam1": "381", "EventParam2": "Dec 22 2015 12:00AM", "EventParam3": "", "HostId": "", "PolicyId": "", "UserSid": "2", "ABId": "", "ABState": "", "LocStringId": "247", "ProcessKey": "", "IndicatorName": "" }
... View more