Inspecting the apicalls that splunk-winevtlog.exe does on a windows server 2025 vm, it appears that winevt.h - EvtFormatMessage[1] is filling the buffer for the formatted message string with the same value for any calls with the Flags set to EvtFormatMessageTask[2], as far as i can tell, the value gets set to whatever the first event happens to be and any subsequent calls get the same value. You can observe this same issue in powershell: Get-WinEvent -LogName Security -MaxEvents 10 | Select RecordId, Id, TaskDisplayName execute the above powershell command on a server 2025/windows 11 machine and all values for TaskDisplayName should be the same, no matter what type of event it actually is. Any subsequent executions of the powershell command might have a different value, depending on which event gets "formatted" first. Observed the same issue in a slightly older version of winlogbeat and cribl edge a while back. to me this indicates an underlying issue in the windows eventlog api that these tools use. https://learn.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtformatmessage https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_format_message_flags
... View more
