3

I have Subscription Events set to forward windows server 2008's Terminal Services/LocalSessionManager/Operational logs to another window's server 2008's Forward Events section.

The Subscription Event is set with a HeartbeatInterval value of 300 (and yet still takes 15min or so to be sent).

However, once the log is finally passed onto the main Windows Server 2008 doing the Event Collecting the log is missing information.

The General view for the Forwarded Event will display the following:

Remote Desktop Services: Session reconnection succeeded:

User: %1
Session ID: %2
Source Network Address: %3

Why are these variables not filled in when Forwarded? Before it is forwarded the source machine tells me the user and the rest of the information. But the forwarded version of the log is missing this.

Expected display:

Remote Desktop Services: Session reconnection succeeded:

User: mydomain\myusername
Session ID: 2
Source Network Address: 123.4.5.6

However, when I view the Details tab I see that the information is all there!

- <UserData>
- <EventXML xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="Event_NS">
  <User>mydomain\myusername</User> 
  <SessionID>2</SessionID> 
  <Address>123.4.5.6</Address> 
  </EventXML>
  </UserData>

I have this event input into nxlog just fine.

The nxlog output data matches non forwarded events. Nxlog Output:

{"EventTime":"2014-05-21 12:49:35","Hostname":"myhostname.mywebsite.org","Keywords":1152921504606846976,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":25,"SourceName":"Microsoft-Windows-TerminalServices-LocalSessionManager","ProviderGuid":"{5D896912-022D-40AA-A3A8-4FA5515C76D7}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":89,"ProcessID":532,"ThreadID":3316,"Channel":"Microsoft-Windows-TerminalServices-LocalSessionManager/Operational","Domain":"NT AUTHORITY","AccountName":"SYSTEM","UserID":"SYSTEM","AccountType":"User","Opcode":"Info","EventReceivedTime":1400691838,"SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"}

Once logstash receives the ouput from nxlog there are fields missing, most importantly the "Message" field containing what appears to be the General view of the eventlog is completely missing from these forwarded events. The "message" field is still there, but this only includes the nxlog output which is clearly missing the user details that I need.

Both the "Message" and "message" fields appear in logstash when dealing with nonforwarded events, but forwarded events are missing the "Message" field. How can I fix this?

EDIT: The Subscription Event ContentFormat is set to Events.

user220643
  • 49
  • 1
  • 4
  • [Take a look at this, and see if it helps](http://www.gorlani.com/portal/articles/windows-event-forwarding-and-missing-event-text). 1. Make sure you havet he required dlls on your system and 2. change the display from "rendered" to "event" type. – HopelessN00b May 21 '14 at 18:21
  • What you see is the "event" type. – user220643 May 21 '14 at 18:35

1 Answers1

1

I believe I have a solution, and it's not pretty.

After setting the Destination log in the Subscription to TerminalServices-LocalSessionManager/Operational all the data started coming in in tact in the Event Viewer as expected. There were no %1, %2, %3, nonsense, all the variables were filled.

When nxlog read the eventlogs and logstash read nxlog's output, the "message" and "Message" fields were all in tact as well. No data is missing and my parsers are working properly.

I don't understand it, but there is an issue with the Destination Log set to Forwarded Events. Somehow data is lost in the transfer.

ContentFormat was also set back to RenderedText.

Update: Setting it to RenderedText has solved the issue. Forwarded Events log was also, by default, capped at 20 MB, and had to be increased. Another issue is the Subscription included Domain Computers, which included the Subscription server itself which led to the windows server recursively forwarding its logs.

ContentFormat set back to RenderedText (default setting). Upped Destination log size to 5 GB. Excluded self from Subscription.

user220643
  • 49
  • 1
  • 4