1

I have two Win2012R2 servers. One is the Domain Controller, the other is an SQL Server. I created a subscription on the DC, gathering events 1149 (source : TerminalServices-RemoteConnectionManager) from the second server.

The events are gathered, but are not display correctly :

Remote Desktop Services: User authentication succeeded:

User: %1

Domain: %2

Source Network Address: %3

But in the XML informations, everything is correct : 

<UserData>
<EventXML xmlns="Event_NS">
<Param1>administrator</Param1> 
<Param2>MYDOMAIN</Param2> 
<Param3>192.168.0.2</Param3> 
</EventXML>
</UserData>

Someone else had the same problem here : Windows Forward Events Missing User Data and Description but the solution didn't worked for me.

I tried to :

  • Set the format as Events and RenderetText, it's the same.
  • Set the locale manually at EN-us, same
  • Set the locale to "FR-fr" as my keyboard is a french one (the OS are Englis only) : I get the famous errors "Description for event id from source cannot be found"
  • Restarting
  • Adding NETWORK SERVICE to the EvenLog Readers built-in group

Nothing changes.

Do someone has an idea?

Community
  • 1
Patator
  • 141
  • 1
  • 2
  • 11

2 Answers2

1

Ok, I got it. My OS are in English. My keyboard layout is french. By default, the subscribed events had the XML parameter (don't know why):

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event" xml:lang="fr-FR">

I don't know why fr-FR was select, maybe because my keyboard layout is french. So, I manually selected en-US as language for subscribed events (RenderedText) :

wecutil ss MySub /l:en-US

After that, the events were displayed with this error :

The description for Event ID 1149 from source Microsoft-Windows-TerminalServices-RemoteConnectionManager cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

I changed the language parameters of the server : I have set the "Date, time" to the English (United states) date format, and everything goes OK. Hope it will help.

Patator
  • 141
  • 1
  • 2
  • 11
0

Had the same situation with Server 2016 and 2012 R2. OS english, keyboard, location and date format was germany. In the xml events xml:lang="de-DE" appears and the Events displayed also with the ... cannot be found ... Message.

Change datetime format to english (united states) and set subscription language with wecutil ss MySub /l:en-US and the Events showed correct.

Many thanks for sharing, don't understand that microsoft don't mention this problem.

Marcus Rath
  • 1