AnsweredAssumed Answered

Unable to read custom application log using Winrm

Question asked by David Waugh on Oct 22, 2018
Latest reply on Oct 31, 2018 by David Waugh

Hello

We have a system that writes to the application log.

I can collect other application log messages, but the particular messages written by this application are not rendered correctly.

 

What I can see is:

%NICWIN-4-Application_1_BLAH: Application,rn=191245 cid= eid=,Sun Oct 21 23:15:17 2018,1,BLAH,,Classic,mycomputer.mydomain.com,0,,

 

 

Here you can see that the event is truncated.

Now other application logs are displayed correctly so the collecting user is a member of the event log readers group.

 

If I look in the XML of the event in the Microsoft Event Viewer then it has the following fields

 

- <System>
  <Provider Name="BLAH" />
  <EventID Qualifiers="0">1</EventID>
  <Level>4</Level>
  <Task>0</Task>
  <Keywords>0x80000000000000</Keywords>
  <TimeCreated SystemTime="2018-10-10T02:57:20.014995400Z" />
  <EventRecordID>217297</EventRecordID>
  <Channel>Application</Channel>
  <Computer>mycomputer.mydoamin.com</Computer>
  <Security />
  </System>
- <EventData>
  <Data>CEF:0|BLAH|Field1|Version|OtherStuff|Process succeeded|Low|Lot of Other CEF Fields</Data>
  </EventData>
  </Event>
At the moment I just want to be able to see the fill message. Then I will write a parser to pick out the meta data.
Any ideas why the full message is not being collected?
This is a Windows 2016 Server, but other application log messages are being received fine.
I checked the normal reasons for truncated messages, but have hit a blank on this one. Can anyone help?
On the VLC I have put the Event Source into Verbose mode and can see the message come in correctly when I look in the VLC Logs.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="BLAH"/>
<EventID Qualifiers="0">1</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-05-26T23:15:13.148221600Z"/>
<EventRecordID>123724</EventRecordID>
<Channel>Application</Channel>
<Computer>mycomputer.mydomain.com</Computer>
<Security/>
</System>
<EventData>
<Data>CEF:0|BLAH|Field1|Version|OtherStuff|Process succeeded|Low|Lot of Other CEF Fields</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Message/>
<Level>Information</Level>
<Task/>
<Opcode>Info</Opcode>
<Channel/>
<Provider/>
<Keywords>
<Keyword>Classic</Keyword>
</Keywords>
</RenderingInfo>
</Event>

Outcomes