Hello
We have a system that writes to the application log.
I can collect other application log messages, but the particular messages written by this application are not rendered correctly.
What I can see is:
%NICWIN-4-Application_1_BLAH: Application,rn=191245 cid= eid=,Sun Oct 21 23:15:17 2018,1,BLAH,,Classic,mycomputer.mydomain.com,0,,
Here you can see that the event is truncated.
Now other application logs are displayed correctly so the collecting user is a member of the event log readers group.
If I look in the XML of the event in the Microsoft Event Viewer then it has the following fields
<Provider Name="BLAH" />
<EventID Qualifiers="0">1</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-10-10T02:57:20.014995400Z" />
<EventRecordID>217297</EventRecordID>
<Channel>Application</Channel>
<Computer>mycomputer.mydoamin.com</Computer>
<Security />
</System>
<Data>CEF:0|BLAH|Field1|Version|OtherStuff|Process succeeded|Low|Lot of Other CEF Fields</Data>
</EventData>
</Event>
At the moment I just want to be able to see the fill message. Then I will write a parser to pick out the meta data.
Any ideas why the full message is not being collected?
This is a Windows 2016 Server, but other application log messages are being received fine.
I checked the normal reasons for truncated messages, but have hit a blank on this one. Can anyone help?
On the VLC I have put the Event Source into Verbose mode and can see the message come in correctly when I look in the VLC Logs.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="BLAH"/>
<EventID Qualifiers="0">1</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-05-26T23:15:13.148221600Z"/>
<EventRecordID>123724</EventRecordID>
<Channel>Application</Channel>
<Computer>mycomputer.mydomain.com</Computer>
<Security/>
</System>
<EventData>
<Data>CEF:0|BLAH|Field1|Version|OtherStuff|Process succeeded|Low|Lot of Other CEF Fields</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Message/>
<Level>Information</Level>
<Task/>
<Opcode>Info</Opcode>
<Channel/>
<Provider/>
<Keywords>
<Keyword>Classic</Keyword>
</Keywords>
</RenderingInfo>
</Event>
<System>
<Provider Name="BLAH"/>
<EventID Qualifiers="0">1</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-05-26T23:15:13.148221600Z"/>
<EventRecordID>123724</EventRecordID>
<Channel>Application</Channel>
<Computer>mycomputer.mydomain.com</Computer>
<Security/>
</System>
<EventData>
<Data>CEF:0|BLAH|Field1|Version|OtherStuff|Process succeeded|Low|Lot of Other CEF Fields</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Message/>
<Level>Information</Level>
<Task/>
<Opcode>Info</Opcode>
<Channel/>
<Provider/>
<Keywords>
<Keyword>Classic</Keyword>
</Keywords>
</RenderingInfo>
</Event>
I managed to bodge a work around for this.
1) Set up the event source for winrm collection as normal, and confirm you are getting events in (even if they are truncated)
2) Put the event source into debug verbose mode.
3)This causes all events to be written to the /var/log/netwitness/logcollector/ log files
4) Change the size of the Log Files to 10MB. This causes them to rollover more frequently
5) Grab events out of log files and re inject them into the system