windows event collector truncating events and replaced with CODE


  • Hi 

    We have Windows Event Collection working with few issues as below. wondering if any one can help us, what could we do for this?

    1) When i looked at the collector events are recorded not exactly the same and  some are replaced with the code number. Then when i go back to client client has the full information


    Events on Collector 

    10/11/2013 08:13:03 AM
    LogName=Microsoft-Windows-AppLocker/EXE and DLL
    ComputerName= hostname
    Message=%11 was prevented from running.

    Event on Client (Server)

    Log Name: Microsoft-Windows-AppLocker/EXE and DLL
    Source: AppLocker
    Event ID: 8004
    Level: Error
    User: domain\username
    OpCode: Info
    Logged: 11/10/2013 8:13:03 AM
    Task Category: None
    Computer: hostname
    Message: %SYSTEM32%\CMD.EXE was prevented from running.

    2) On Collector server event are not displaying correctly


    The description for Event ID 16397 from source NfsClnt cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event: 

    Thank you and hopefully some one can help us.

    Tuesday, December 10, 2013 5:48 AM

All replies

  • Hi,

    Event Collector service can receive events from event sources in remote Windows computers and publish these events into a local event log.

    Please make sure you have enough disk space for storage and no corrupted files or virus infection on the collector server.

    Best regards,


    Wednesday, December 11, 2013 6:23 AM
  • Hi Susie

    Sorry for the delay reply

    we do not have a issue with disk space or virus or corrupt.

    I Do not know why First Scenario is occurring


    I do roughly know why second scenario but do not know exactly hence I am here asking question.

    i.e. missing DLL to read events from particular application as application has not being installed in collector.

    Thank you

    • Edited by akg1 Wednesday, January 1, 2014 10:05 PM
    Wednesday, January 1, 2014 10:05 PM
  • I have the same issue, any solution?
    Monday, October 20, 2014 8:59 AM
  • No easy solution

    we had to copy DLL from each servers to collector server to make code disappear.

    Thank you 

    Tuesday, November 11, 2014 10:31 AM
  • Which DLL should be copied?

    Best regards

    Thursday, November 13, 2014 10:12 AM