WinRM - Incomplete events with System Channel on ID 7036
Hi community, I have a customer who recently deployed Netwitness 11.4.1 and he is retrieving windows events using WinRM. Almost all events were retrieved just fine except those within the System Channel with ID 7036. The raw of the event is as follows:
%NICWIN-4-System_7036_Service Control Manager: System,rn=4845808 cid=2104 eid=716,Thu Jul 30 14:50:16 2020,7036,Service Control Manager,,,host.domain.net,0,,
This kind of event, obviously isn’t correctly parsed causing the existence of the "word" meta key.
Maybe we are missing something on the windows server side, but I don't know how to pinpoint this issue
- Community Thread
- Forum Thread
- missing event
- RSA NetWitness
- RSA NetWitness Platform
Max, this may be a shot in the dark but I believe I have had this truncation problem when "Render Events" was not checked in the UI on the NetWitness side. If you need to check it, restart the Windows log collection.
Aaron, I have checked that with my customer and already has that check enable...One thing to keep in mind: this is the only type of events that seems to be incomplete.