Problem with Windows Event | View post | Log collection solutions

Pasi 8 years ago

Hello,

nxlog CE v2.9.1504, Windows Server 2008 Enterprise

relevant part of config file:

<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008 and later
    Module im_msvistalog
    Exec if ($Severity == 'INFO') drop();
<QueryXML>
    <QueryList>
        <Query Id="0">
            <Select Path="System">*</Select>
            <Select Path="Security">*</Select>
            <Select Path="Application">*</Select>
<!-- EventID 2137 - Shrepoint Health Analyzer - ignore -->
            <Suppress Path="Application">*[System[(EventID=2137)]]</Suppress>
<!-- EventID 2138 - Shrepoint Health Analyzer - ignore -->
            <Suppress Path="Application">*[System[(EventID=2138)]]</Suppress>
            <Select Path="Microsoft-Windows-TaskScheduler/Operational">*</Select>
        </Query>
    </QueryList>
</QueryXML>
# Uncomment im_mseventlog for Windows XP/2000/2003
#   Module im_mseventlog
</Input>

One event (EventID 1309 from Application channel) always returns an empty message field (message:null) as you can see in debug output.

{"EventTime":"2017-03-21 09:54:13","Hostname":"HOST.DOMAIN.TLD","Keywords":36028797018963968,
"EventType":"WARNING","SeverityValue":3,"Severity":"WARNING","EventID":1309,"SourceName":"ASP.NET 2.0.50727.0",
"Task":3,"RecordNumber":1013344,"ProcessID":0,"ThreadID":0,"Channel":"Application","ERROR_EVT_UNRESOLVED":true,
"Category":"Web Event","EventReceivedTime":"2017-03-21 09:54:13","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog",
"message":null}

How can I get more informations, why those events has a null message field?
What means "ERROR_EVT_UNRESOLVED":true?

Thank you.