Windows Event Logs parsing Source Network Address
I noticed the same issue this year. Mostly because I like to track failed windows 529 failed login events and I could have sworn the source IP was being parsed in late 2009. Don't remember what changed in our environment - an event source update, EE update, service pack - but when I went to run a EE table in January the information I expected was not all there. After the Event source update at the end of January, most things came back, but not all. Furthermore all of our Windows Domain controllers (over 70) are being converted to windows 2008 R2 from 2003 which is causing problems with existing reports. We have had multiple 'crisis of the day' elsewhere, so every time I start to investigate further something comes up. RSA support wanted me to produce lsdata output for them - but again multiple emergencies keep interfering. Hopefully they will address it in the next event source update!
Yeah, glad I'm not the only one with that issue. It is unfortunate that updates within Envision continually break things. I honestly don't have time nor the manpower to go back and test every report and alert we have created after each service pack update or event source update. I create it, test it, works fine, I expect it to work fine in the future barring a major update (ex:/ 2003 to 2008)
I think I have an idea of what might be happening. I have a few questions that will help me validate this.
- What version (and service pack) of enVision are you running?
- What was the most recent ESU applied
- What windows version are you running (specifically I'm interested if you are running 'R2' or Data Center/Enterprise editions)?
You mentioned you saw the address show in within the message, I'm curious if you look at the event description column (Which I believe maps to Details2 in EE on v4 using the data store model), does the source address show up in there along with other text? Similiarly you could use the Query tool in the WebUI and look at the Description Column.
The problem is that there is no consistency in the use of variables between the 2003 and 2008 messages. It has created quite a bit of confusion for me as well when trying to create reports in a mixed environment. For instance, in 2003 the variable <process> is use for the Logon Process portion of the 528 message. However, the corresponding 4624 message puts the process name in the <process> variable, but the Logon Process is now in the <additionalinfo1> variable. There are other inconsistencies that are making it difficult for both alerting and reporting.