Hi,
In case it helps anyone else, I had a similar problem with the ForwardedEvents log. My setup is a 2008R2 server setup as an Event Log collector using a source initiated subscription. Servers on my test domain were configured via Group Policy to use the collector. They then download the settings that determine which of their events to send to the collector. The Universal Forwarder is installed on the collector for onward forwarding to Splunk. I had two problems with the following solutions.
Events were not rendering correctly within the Forwarded Event event log on the collector server. This is apparently a known bug on 2008R2 and changing the servers regional settings to English (United States) fixed that issue.
Once the first issue was resolved, events sent to Splunk were showing the message listed by the original poster. The resolution to this was to alter the format of events for the Event Subscription on the collector. This needs to be done from the command line rather than the Event Viewer. " wecutil ss <SUBSCRIPTION NAME> /cf:events ". The default is RenderedText. When I switched the format to Events, messages started displaying in Splunk correctly (I did have to reboot the source server first to force it to check for an updated subscription policy). I have read this can place additional load on the source if there are a lot of events, so be warned.
It's still early days for my testing, so I can't promise no other problems further down the road, but the above has fixed my immediate ones.
Simon
... View more