Request trial
Request Trial

im_msvistalog on Windows not resolving GUIDS/etc

Tags:
#1 jhaar

Hi there

Maybe a dumb/newbie question: I'm not a Windows guy, but I know EventLogs have some weird normalization trick where GUIDs/etc have to be cross-referenced against some locale data to show you what you really want to see. I'm trying to run nxlog on a domain controller, but instead of forwarding (to syslog) "english text", we're seeing "Object: Object Server: DS Object Type: %{bf967a9c-0de6-11d0-a285-00aa003049e2} Object Name: %{d7cb26ca-1f06-4d..." kind of stuff

It looks fine in the the EventLog viewer on the DC, and running "nxlog -f" from the command line doesn't show any error, so any ideas what's missing?

According to this: https://nxlog.co/question/794/64-bit-windows-event-log-support-community-vs-enterprise I would think standard "this user was added to this group" kind of Security messages would be covered, but I suspect this isn't the case with the community edition?

So do you need the enterprise version to get all Eventlog "translations" that are really standard on systems like domain controllers?

This is with nxlog-ce-2.9.1716.msi.

Thanks, Jason

Permalink
#2 b0ti Nxlog ✓
#1 jhaar
Hi there Maybe a dumb/newbie question: I'm not a Windows guy, but I know EventLogs have some weird normalization trick where GUIDs/etc have to be cross-referenced against some locale data to show you what you really want to see. I'm trying to run nxlog on a domain controller, but instead of forwarding (to syslog) "english text", we're seeing "Object: Object Server: DS Object Type: %{bf967a9c-0de6-11d0-a285-00aa003049e2} Object Name: %{d7cb26ca-1f06-4d..." kind of stuff It looks fine in the the EventLog viewer on the DC, and running "nxlog -f" from the command line doesn't show any error, so any ideas what's missing? According to this: https://nxlog.co/question/794/64-bit-windows-event-log-support-community-vs-enterprise I would think standard "this user was added to this group" kind of Security messages would be covered, but I suspect this isn't the case with the community edition? So do you need the enterprise version to get all Eventlog "translations" that are really standard on systems like domain controllers? This is with nxlog-ce-2.9.1716.msi. Thanks, Jason

The NXLog EE has an extra SID lookup feature via the ResolveSid configuration option but that is supposed to be only for SID values.

You may still want to test the EE regardless to see if these object guids are resolved properly with the EE.
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS