none
windows event collector truncating events and replaced with CODE

    Question

  • Hi 

    We have Windows Event Collection working with few issues as below. wondering if any one can help us, what could we do for this?

    1) When i looked at the collector events are recorded not exactly the same and  some are replaced with the code number. Then when i go back to client client has the full information

    E.g.

    Events on Collector 

    10/11/2013 08:13:03 AM
    LogName=Microsoft-Windows-AppLocker/EXE and DLL
    SourceName=Microsoft-Windows-AppLocker
    EventCode=8004
    EventType=2
    Type=Error
    ComputerName= hostname
    User=mmurtrie
    Sid=S-1-5-21-948756243-734778046-674738317-13796
    SidType=1
    TaskCategory=None
    OpCode=Info
    RecordNumber=95132
    Keywords=None
    Message=%11 was prevented from running.

    Event on Client (Server)

    Log Name: Microsoft-Windows-AppLocker/EXE and DLL
    Source: AppLocker
    Event ID: 8004
    Level: Error
    User: domain\username
    OpCode: Info
    Logged: 11/10/2013 8:13:03 AM
    Task Category: None
    Keywords: 
    Computer: hostname
    Message: %SYSTEM32%\CMD.EXE was prevented from running.

    2) On Collector server event are not displaying correctly

    E.g.

    The description for Event ID 16397 from source NfsClnt cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event: 

    Thank you and hopefully some one can help us.

    Tuesday, December 10, 2013 5:48 AM

All replies

  • Hi,

    Event Collector service can receive events from event sources in remote Windows computers and publish these events into a local event log.

    Please make sure you have enough disk space for storage and no corrupted files or virus infection on the collector server.

    Best regards,

    Susie

    Wednesday, December 11, 2013 6:23 AM
    Moderator
  • Hi Susie

    Sorry for the delay reply

    we do not have a issue with disk space or virus or corrupt.

    I Do not know why First Scenario is occurring

    But

    I do roughly know why second scenario but do not know exactly hence I am here asking question.

    i.e. missing DLL to read events from particular application as application has not being installed in collector.

    Thank you


    • Edited by akg1 Wednesday, January 01, 2014 10:05 PM
    Wednesday, January 01, 2014 10:05 PM