Hello
We have a system that writes to the application log.
I can collect other application log messages, but the particular messages written by this application are not rendered correctly.
What I can see is:
%NICWIN-4-Application_1_BLAH: Application,rn=191245 cid= eid=,Sun Oct 21 23:15:17 2018,1,BLAH,,Classic,mycomputer.mydomain.com,0,,
Here you can see that the event is truncated.
Now other application logs are displayed correctly so the collecting user is a member of the event log readers group.
If I look in the XML of the event in the Microsoft Event Viewer then it has the following fields
<System>
<Provider Name="BLAH"/>
<EventID Qualifiers="0">1</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-05-26T23:15:13.148221600Z"/>
<EventRecordID>123724</EventRecordID>
<Channel>Application</Channel>
<Computer>mycomputer.mydomain.com</Computer>
<Security/>
</System>
<EventData>
<Data>CEF:0|BLAH|Field1|Version|OtherStuff|Process succeeded|Low|Lot of Other CEF Fields</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Message/>
<Level>Information</Level>
<Task/>
<Opcode>Info</Opcode>
<Channel/>
<Provider/>
<Keywords>
<Keyword>Classic</Keyword>
</Keywords>
</RenderingInfo>
</Event>
I managed to bodge a work around for this.
1) Set up the event source for winrm collection as normal, and confirm you are getting events in (even if they are truncated)
2) Put the event source into debug verbose mode.
3)This causes all events to be written to the /var/log/netwitness/logcollector/ log files
4) Change the size of the Log Files to 10MB. This causes them to rollover more frequently
5) Grab events out of log files and re inject them into the system