VMware Cloud Community
AaronSixtus1
Contributor
Contributor
‎11-19-2014 06:19 PM

Windows Agent - Incomplete event entries

Hi All,

I have started to notice some issues with events coming in from the LIAgent in the last few days. The events are no longer showing content, just a "-" or random sting of numbers. The events do have valid source host names, event IDs etc but the body of the event has stopped displaying correctly. I have confirmed that the events are correct within the eventlog on the source host.

Has anybody seen this issue?

Cheers,

Aaron

Labels (3)
Labels
Tags (3)
0 Kudos
9 Replies
sflanders
Commander
Commander
‎11-19-2014 06:31 PM

Hmm, no this should not happen and the fact that you are receiving the header information, but not the message makes no sense. What version of the agent are you running? Can you open a support case with GSS? Will need the liagent.ini file, the agent logs, and the log file you are collecting.

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
0 Kudos
AaronSixtus1
Contributor
Contributor
‎11-19-2014 06:34 PM

Will open a call, thanks.

0 Kudos
sflanders
Commander
Commander
‎11-19-2014 06:36 PM

Let me know the PR number and I can investigate/escalate.

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
0 Kudos
sflanders
Commander
Commander
‎02-20-2015 08:23 AM

Any update on this?

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
0 Kudos
cwm08
Contributor
Contributor
‎03-19-2015 07:48 AM

Any news on this? I am seeing something similar on our DC audit events, eventID 4662.

I have started to notice some issues with events coming in from the LIAgent in the last few days. The events are no longer showing content, just a "-" or random sting of numbers. The events do have valid source host names, event IDs etc but the body of the event has stopped displaying correctly. I have confirmed that the events are correct within the eventlog on the source host.

In our case, the body of the message exists, but some client side parsing is missing. Such as, "Object Type" and "Object Name" are GUIDS as opposed to their actual directory object names. I am comparing the event in LI and the actual event in Event Viewer.

Using Liagent 2.5.0.2347850 and the api to send events.

[EDIT]

It's not just the 4662 eventID that we are noticing, but also failing to send the parsed SID in event 4732 as the actual name/data.

0 Kudos
admin
Immortal
Immortal
‎03-19-2015 08:08 AM

We have escalated this issue and it is currently being worked on by development. Can you please provide the SR number ?

0 Kudos
cwm08
Contributor
Contributor
‎03-19-2015 08:37 AM

THANKS! Just submitted a feature request SR: 15627088203.

0 Kudos
admin
Immortal
Immortal
‎03-19-2015 09:10 AM

Many Thanks! I will follow it up.

0 Kudos
AaronSixtus1
Contributor
Contributor
‎03-19-2015 12:14 PM

Apologies for not updating this sooner, It turns out my issue related to LIAgent not being updated at the same time as the Log Insight appliance, once the agents were at the same level as the appliance the logs were processed correctly again.

0 Kudos