I am having trouble configuring NXlog Enterprise to forward Windows Event log in the original raw XML format that is shown in the XML View in Details Tab. The required data is: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Name="Microsoft-Windows-Security-Auditing"/> <EventID>4624</EventID> <Version>2</Version> <Level>Information</Level> <Task>Logon</Task> <Opcode>Info</Opcode> <Keywords>Audit Success</Keywords> <TimeCreated SystemTime="2022-09-15T07:25:38.254241000Z"/> <EventRecordID>6733</EventRecordID> <Correlation ActivityID="{9C53E768-C82B-0003-78E7-539C2BC8D801}"/> <Execution ProcessID="772" ThreadID="19980"/> <Channel>Security</Channel> <Computer>Redacted01</Computer> <Security/> </System> <EventData> <Data Name="SubjectUserSid">NT AUTHORITY\SYSTEM</Data> <Data Name="SubjectUserName">Redacted01$</Data> <Data Name="SubjectDomainName">WORKGROUP</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="TargetUserSid">Redacted01\Redacted03</Data> <Data Name="TargetUserName">Redacted03</Data> <Data Name="TargetDomainName">Redacted01</Data> <Data Name="TargetLogonId">0x45b8d14</Data> <Data Name="LogonType">7</Data> <Data Name="LogonProcessName">User32 </Data> <Data Name="AuthenticationPackageName">Negotiate</Data> <Data Name="WorkstationName">Redacted01</Data> <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x438</Data> <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data> <Data Name="IpAddress">Redacted02</Data> <Data Name="IpPort">0</Data> <Data Name="ImpersonationLevel">Impersonation</Data> <Data Name="RestrictedAdminMode">-</Data> <Data Name="TargetOutboundUserName">-</Data> <Data Name="TargetOutboundDomainName">-</Data> <Data Name="VirtualAccount">No</Data> <Data Name="TargetLinkedLogonId">0x0</Data> <Data Name="ElevatedToken">Yes</Data> </EventData> </Event> The data I am currently receiving is the informatio in the General Tab instead. I have applied the following configuration to convert the data in XML format: define ROOT C:\Program Files\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension _syslog> Module xm_syslog </Extension> <Extension _json> Module xm_json </Extension> <Extension xml> Module xm_xml </Extension> <Input in_win> Module im_msvistalog Query <QueryList> \ <Query Id="0"> \ <Select Path="Application">*</Select> \ <Select Path="System">*</Select> \ <Select Path="Security">*</Select> \ </Query> \ </QueryList> Exec $Message=$EventXML;$log_type=$event_trace;to_xml(); </Input> <Output out_win> Module om_udp Host 192.168.108.201:514 </Output> <Route 2> Path in_win => out_win </Route> However, I am not able to get the desired output. The data I am currently receiving is: 09 15 2022 03:53:34 192.168.115.4 <USER:NOTE> <EventTime>2022-09-15 16:38:31</EventTime><Hostname>SOCJH-04.cryptogennepal.com</Hostname><Keywords>9232379236109516800</Keywords><EventType>AUDIT_SUCCESS</EventType><SeverityValue>2</SeverityValue><Severity>INFO</Severity><EventID>4624</EventID><SourceName>Microsoft-Windows-Security-Auditing</SourceName><ProviderGuid>{54849625-5478-4994-A5BA-3E3B0328C30D}</ProviderGuid><Version>2</Version><TaskValue>12544</TaskValue><OpcodeValue>0</OpcodeValue><RecordNumber>189928</RecordNumber><ExecutionProcessID>748</ExecutionProcessID><ExecutionThreadID>11540</ExecutionThreadID><Channel>Security</Channel><Message/><Category>Logon</Category><Opcode>Info</Opcode><SubjectUserSid>S-1-5-18</SubjectUserSid><SubjectUserName>SOCJH-04$</SubjectUserName><SubjectDomainName>CGN</SubjectDomainName><SubjectLogonId>0x3e7</SubjectLogonId><TargetUserSid>S-1-5-21-1983202128-2021996171-226450221-1105</TargetUserSid><TargetUserName>srijan.kafle</TargetUserName><TargetDomainName>CGN</TargetDomainName><TargetLogonId>0x1e170ee</TargetLogonId><LogonType>7</LogonType><LogonProcessName>Negotiat</LogonProcessName><AuthenticationPackageName>Negotiate</AuthenticationPackageName><WorkstationName>SOCJH-04</WorkstationName><LogonGuid>{4eaf9196-9215-5425-4e8c-729f74b2f1ce}</LogonGuid><TransmittedServices>-</TransmittedServices><LmPackageName>-</LmPackageName><KeyLength>0</KeyLength><ProcessId>0x2ec</ProcessId><ProcessName>C:\Windows\System32\lsass.exe</ProcessName><IpAddress>-</IpAddress><IpPort>-</IpPort><ImpersonationLevel>%%1833</ImpersonationLevel><RestrictedAdminMode>-</RestrictedAdminMode><TargetOutboundUserName>-</TargetOutboundUserName><TargetOutboundDomainName>-</TargetOutboundDomainName><VirtualAccount>%%1843</VirtualAccount><TargetLinkedLogonId>0x0</TargetLinkedLogonId><ElevatedToken>%%1843</ElevatedToken><EventReceivedTime>2022-09-15 16:38:33</EventReceivedTime><SourceModuleName>in_win</SourceModuleName><SourceModuleType>im_msvistalog</SourceModuleType><log_type/></Event> Requesting assistance/documentation to achieve the desired log format

Hello! I noticed that the value of the ProcessID field in sysmon event does not match the value of the ProcessID field which is nested in the Message field. Is it normal? The sample sysmon event from https://nxlog.co/documentation/nxlog-user-guide/sysmon.html is bellow { "EventTime": "2015-04-27 15:23:46", "Hostname": "WIN-OUNNPISDHIG", "Keywords": -9223372036854776000, "EventType": "INFO", "SeverityValue": 2, "Severity": "INFO", "EventID": 1, "SourceName": "Microsoft-Windows-Sysmon", "ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "Version": 3, "Task": 1, "OpcodeValue": 0, "RecordNumber": 2335906, "ProcessID": 1680, "ThreadID": 1728, "Channel": "Microsoft-Windows-Sysmon/Operational", "Domain": "NT AUTHORITY", "AccountName": "SYSTEM", "UserID": "SYSTEM", "AccountType": "Well Known Group", "Message": "Process Create:\r\nUtcTime: 2015.04.27. 13:23\r\nProcessGuid: {00000000-3862-553E-0000-001051D40527}\r\nProcessId: 25848\r\nImage: c:\\Program Files (x86)\\nxlog\\nxlog.exe\r\nCommandLine: \"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f\r\nUser: WIN-OUNNPISDHIG\\Administrator\r\nLogonGuid: {00000000-568E-5453-0000-0020D5ED0400}\r\nLogonId: 0x4edd5\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashType: SHA1\r\nHash: 1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94\r\nParentProcessGuid: {00000000-3862-553E-0000-001088D30527}\r\nParentProcessId: 26544\r\nParentImage: C:\\msys\\1.0\\bin\\sh.exe\r\nParentCommandLine: C:\\msys\\1.0\\bin\\sh.exe", "Opcode": "Info", "UtcTime": "2015.04.27. 13:23", "ProcessGuid": "{00000000-3862-553E-0000-001051D40527}", "Image": "c:\\Program Files (x86)\\nxlog\\nxlog.exe", "CommandLine": "\"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f", "User": "WIN-OUNNPISDHIG\\Administrator", "LogonGuid": "{00000000-568E-5453-0000-0020D5ED0400}", "LogonId": "0x4edd5", "TerminalSessionId": "2", "IntegrityLevel": "High", "HashType": "SHA1", "Hash": "1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94", "ParentProcessGuid": "{00000000-3862-553E-0000-001088D30527}", "ParentProcessId": "26544", "ParentImage": "C:\\msys\\1.0\\bin\\sh.exe", "ParentCommandLine": "C:\\msys\\1.0\\bin\\sh.exe", "EventReceivedTime": "2015-04-27 15:23:47", "SourceModuleName": "in", "SourceModuleType": "im_msvistalog" }

Hello, I have to filter multiple log (such as System, Application) and also filter it by levels. I'm trying to wrote a config but don't output anything. <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path="System">[System[(EventID=11150 or EventID=11151 or EventID=11152 or EventID=11153 or EventID=11154 or EventID=11155 or EventID=11162 or EventID=11163 or EventID=11164 or EventID=11165 or EventID=11166 or EventID=11167 or EventID=5773 or EventID=5774)]]</Select> <Select Path='System'>[System/Level=2]</Select> <Select Path="System">[System[(Level=2 or Level=4)][(EventID=6005 or EventID=6008)]]</Select> <Select Path="System">[System/Level=4[(EventID=6005 or EventID=6008)]]</Select>s <Select Path="System">[System/Level=3[(EventID=1031 or EventID=1053 or EventID=5053 or EventID=1129 or EventID=1131 or EventID=1135 or EventID=1206 or EventID=1211 or EventID=1216 or EventID=1553 or EventID=5553 or EventID=2057 or EventID=47 or EventID=16947 or EventID=16949 or EventID=4034 or EventID=9015 or EventID=9026)]]</Select> <Select Path="Application">[System/Level=2]</Select> <Select Path="Application">*[System/Level=3[(EventID=514)]]</Select> </QueryList> </QueryXML> I don't know if is the right way, it's my first time with nxlog. Thanks a lot!

Hello, We are using NXLog extensively and just recently started seeing some parsing issues, so far specifically on Windows 2012r2 using Windows Event Forwarding, but could be others. It appears to be something with processing self-closed tags at first glance, but I've done a little bit of testing myself and couldn't directly reproduce the problem (so far), so figured I'd come here for guidance. Specific details are included below. Current Behavior NXLog appears to be improperly parsing empty, self-closed XML tags. Expected Behavior NXLog properly ignores empty, self-closed XML tags. NXLog Version: nxlog-ce-2.10.2150 NXLog Configuration File: ## NXLog configuration file define ROOT C:\Program Files (x86)\nxlog define LOGFILE %ROOT%\data\nxlog.log Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %LOGFILE% # Rotate agent logs on the local system such that only the last 4 files are kept <Extension fileop> Module xm_fileop # Check the size of our log file every hour and rotate if it is larger than 1M <Schedule> Every 1 hour Exec if (file_size('%LOGFILE%') >= 1M) file_cycle('%LOGFILE%', 4); </Schedule> # Rotate our log file every week on sunday at midnight <Schedule> When @weekly Exec file_cycle('%LOGFILE%', 4); </Schedule> </Extension> <Extension syslog> Module xm_syslog </Extension> <Extension json> Module xm_json </Extension> # Agent logs <Input internal> Module im_internal </Input> # OS logs <Input eventlog> Module im_msvistalog # Drop EventID 5156 logs when application name is nxlog.exe Exec if ($SourceName == 'Microsoft-Windows-Security-Auditing')\ AND ($EventID == 5156)\ AND ($Application =~ /nxlog.exe$/)\ drop(); </Input> <Input forwardedEvents> Module im_msvistalog Query <QueryList> \ <Query Id="0"> \ <Select Path="ForwardedEvents">*</Select>\ </Query> \ </QueryList> </Input> # SIEM port 3514 is listening for JSON-encoded IETF style syslog messages # OutputType Syslog_TLS required to enable the octet-framing described in RFC5425 <Output out> Module om_tcp Host XXX.XXX.XXX.XXX Port 3514 OutputType Syslog_TLS Exec $Message = to_json(); # Remove param-value pairs from structured data header with names > 32 characters. Exec if ($SourceName == 'Microsoft-Windows-GroupPolicy') {\ if ($EventID == 5017) OR ($EventID == 6017) OR ($EventID == 7017)\ delete($OperationElaspedTimeInMilliSeconds);\ if ($EventID == 5116) OR ($EventID == 6116) OR ($EventID == 7116)\ delete($GpsvcInitTimeElapsedInMilliseconds);\ if ($EventID == 5126) OR ($EventID == 6126) OR ($EventID == 7126)\ delete($GPODownloadTimeElapsedInMilliseconds);\ if ($EventID == 5257) OR ($EventID == 6257) OR ($EventID == 7257)\ delete($PolicyDownloadTimeElapsedInMilliseconds);\ if ($EventID == 5351) OR ($EventID == 6351) OR ($EventID == 7351)\ delete($WinlogonReturnTimeElapsedInMilliseconds);\ } Exec to_syslog_ietf(); </Output> <Route 1> Path internal, eventlog, forwardedEvents => out </Route> Windows Version: Windows 2012r2 (potentially others, but confirmed for sure on this one) Example Exported XML from EventViewer <?xml version="1.0" encoding="utf-8" standalone="yes"?> <Events><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event' xml:lang='en-US'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-10-23T14:01:56.684789600Z'/><EventRecordID>5238702734</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='3948'/><Channel>Security</Channel><Computer>hostname.domain</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>workstation$</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x1754</Data><Data Name='NewProcessName'>C:\Windows\System32\wbem\WmiApSrv.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x2f8</Data><Data Name='CommandLine'/><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data></EventData><RenderingInfo Culture='en-US'><Message>A new process has been created...</Message><Level>Information</Level><Task>Process Creation</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event></Events> Example Data as Received on the wire: <14>1 2019-10-21T15:44:36.650065-04:00 hostname.domain Microsoft-Windows-Security-Auditing 4 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="4688" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="2" Task="13312" OpcodeValue="0" RecordNumber="355111132" ThreadID="5020" Channel="Security" Category="Process Creation" Opcode="Info" SubjectUserSid="S-1-5-18" SubjectUserName="workstation$" SubjectDomainName="DOMAIN" SubjectLogonId="0x3e7" NewProcessId="0x13a8" NewProcessName="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe" TokenElevationType="%%1936" CommandLine\'/><Data_Name=\'TargetUserSid="S-1-0-0" TargetUserName="workstation$" TargetDomainName="DOMAIN" TargetLogonId="0x3e4" EventReceivedTime="2019-10-21 15:45:38" SourceModuleName="eventlog" SourceModuleType="im_msvistalog"] {"EventTime":"2019-10-21 15:44:36","Hostname":"hostname.domain","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4688,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":2,"Task":13312,"OpcodeValue":0,"RecordNumber":355111132,"ProcessID":4,"ThreadID":5020,"Channel":"Security","Message":"A new process has been created...","Category":"Process Creation","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"workstation$","SubjectDomainName":"domain","SubjectLogonId":"0x3e7","NewProcessId":"0x13a8","NewProcessName":"C:\\Windows\\System32\\wbem\\WmiPrvSE.exe","TokenElevationType":"%%1936","CommandLine'/><Data Name='TargetUserSid":"S-1-0-0","TargetUserName":"workstation$","TargetDomainName":"DOMAIN","TargetLogonId":"0x3e4","EventReceivedTime":"2019-10-21 15:45:38","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"} NOTE: I know the above two examples don't reference the exact same event. They are just for illustration and reference purposes You should see that in the XML exported from EventViewer, there's an empty and self-closed 'CommandLine' tag. However, in the example pulled from the wire, you should see that the 'CommandLine' tag has been mangled and parsed as if it were part of the 'TargetUserSid' tag and there's some XML data there. Have you seen similar behavior when parsing logs either through the ForwardedEvents (Windows Event Forwarding) or otherwise? Addendum: We have also seen this behavior with other empty, self-closed XML Fields such as a 'TargetDomainName' field, so it does not seem to be specifically related to the CommandLine tag itself.

Hi everyone! You many help me, thanks a lot. I hope you kind to help me now. My NXLog clients don't collect Windows System logs. And now I often see in my logs this message: 2019-06-04 17:49:50 INFO nxlog-4.3.4308 started 2019-06-04 17:49:50 ERROR failed to subscribe to msvistalog events using bookmark: The interface is unknown. 2019-06-04 17:49:50 ERROR failed to subscribe to msvistalog events using bookmark: The interface is unknown. <QueryList> <Query Id='1'> <Select Path='System'>*</Select> </Query> </QueryList> <QueryList> <Query Id='1'> <Select Path='Application'>*</Select> </Query> </QueryList> 2019-06-04 17:49:50 ERROR failed to subscribe to msvistalog events [error code: 1717]; The interface is unknown. My config: define ROOT C:\nxlog define NXLOGLOGFILE %ROOT%\data\nxlog.log define CERTDIR %ROOT%\cert PersistLogqueue TRUE SyncLogqueue TRUE CacheFlushInterval 0 CacheSync TRUE <Input winapp> Module im_msvistalog ReadFromLast TRUE <QueryXML> <QueryList> <Query Id='1'> <Select Path='Application'>*</Select> </Query> </QueryList> </QueryXML> Exec $FileName = 'winapp.log'; Exec $EventTime = $EventReceivedTime; </Input> <Input winsys> Module im_msvistalog ReadFromLast TRUE <QueryXML> <QueryList> <Query Id='1'> <Select Path='System'>*</Select> </Query> </QueryList> </QueryXML> Exec $FileName = 'winsys.log'; Exec $EventTime = $EventReceivedTime; </Input> <Output out> BufferSize 9500000 Module om_batchcompress Host 192.168.100.100 Port 1514 UseSSL true AllowUntrusted TRUE CAFile %CERTDIR%\cacert.pem CertFile %CERTDIR%\clientcert.pem CertKeyFile %CERTDIR%\clientkey.pem </Output> <Route client> Path winapp, winsys => out </Route> After restart service nothing new. Any ideas, please!

I'm using NXLog CE to forward Windows event logs via the im_msvistalog module. There's about 161 event id's that I want to whitelist from the security log and not send anything else from the event logs. The following config snippet works: <Input eventlog> Module im_msvistalog <QueryXML> <QueryList> <Query Id='0'> <Select Path='Security'>*[System[(EventID=4627)] or System[(EventID=4624)] or System[(EventID=4775)] or System[(EventID=4776)] or System[(EventID=4777)] or System[(EventID=4741)] or System[(EventID=4742)] or System[(EventID=4743)] or System[(EventID=4744)] or System[(EventID=4745)] or System[(EventID=4746)] or System[(EventID=4747)] or System[(EventID=4748)] or System[(EventID=4749)] or System[(EventID=4750)] or System[(EventID=4751)] or System[(EventID=4752)] or System[(EventID=4753)] or System[(EventID=4759)] or System[(EventID=4760)] or System[(EventID=4672)] or System[(EventID=4634)] or System[(EventID=4648)]] </Select> </Query> </QueryList> </QueryXML> </Input> The issue is that once I add one more line to that config, NXLog stops shipping events completely. Is there a better way for me to write this that would allow for more than 23 whitelisted event id's?

Hi, I'm trying to read from a .evtx file directly using the File directive in im_msvistalog. I keep getting an error: Assertion failed at line 1945 in im_msvistalog.c/im_msvistalog_start(): "((nx_im_msvistalog_subscr_t **)(imconf->q_subs->nelts-1->query = imconf->_query"" I'm running Windows 10 with nxlog-4.0.3550. I've tested with different files with the same error.

Hi, when configuring nxlog-CE on a Server 2016, there are limitations for collecting all eventlog sources. After starting the nxlog service, I see the following information in the nxlog-logfile: 2017-12-12 18:18:38 INFO nxlog-ce-2.9.1716 started 2017-12-12 18:18:50 WARNING Due to a limitation in the Windows EventLog subsystem, a query cannot contain more than 256 sources. here is my nxlog-configuration: define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension gelf> Module xm_gelf </Extension> <Input in> Module im_msvistalog Exec if ($EventType == 'VERBOSE') OR ($EventType == 'INFO') OR ($EventType == 'AUDIT_SUCCESS') drop(); Exec if ($SourceName == 'Microsoft-Windows-KnownFolders' AND $EventID == 1002) drop(); </Input> <Output out> Module om_udp OutputType GELF Host our.graylog.server Port 1515 </Output> <Route 1> Path in => out </Route> We use the same configuration on our Windows Server 2012 / 2012 R2 systems without any issues. Will there be a fix in the a new edition? We don't want to filter the eventlog sources in the configuration. Kind regards, Markus

Back to conversation about current workaround... Windows Server 2016 has more than 256 channels. Is it possible to create a second thread/instance to subscribe for the remaining channels? I can try to guess and create XML filter to exclude some unneeded for now but tomorrow MS can create more channels with some update and would be nice if it handled automatically.

NXLog IM_MSVistaLog module collects the Rendered Event log rather than the raw XML Windows Event Log.   Is there a configuration option in the NXLog agent or IMVistaLog module to enable collecting the original Windows XML Event Log rather than the Rendered Event Log? Best Regards, Chris   Edit: Think I worked this out. Appears to collect the XML data but also the rendered log field. This would lead questions to be: 1) Can you disable or filter out the Message field? It's not needed. 2) Can you collect the Windows Event Log fields in the order they're written, e.g., the Provider field From testing the Provider field is renamed as Sourcename and collected out of order from the original Windows Event Log. Reason for the above is have multiple upstream systems that require the original log format, and hence testing viability to use NXLog to retrieve Windows Event Logs.

I am new and I apologies in advance if this question has been asked already. Problem: I am us nxlog to forward windows eventlogs (json format) to central logging system. Not all object are resolved in the message … example. Object: Object Server: DS Object Type: %{e0fa1e8c-9b45-11d0-afdd-00c04fd930c9} Object Name: %{cc0985a1-b646-4957-bb95-ac8fe9ad147a} Question: Is that normal or is there something I can do to resolve those references?