Hi
Using VMware vRealize Log Insight Agent, I'm collecting Windows Eventlogs for our syslog server. Lately I noticed that some eventlogs can't be collected and I figured out that there is a difference in the naming of eventlog files that can't be collected compared to the ones that can
Eventlogs that CAN be collected are for example:
Microsoft-Windows-FailoverClustering-CsvFs/Operational
File name:
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-FailoverClustering-CsvFs%4Operational.evtx
Microsoft-Windows-FailoverClustering-WMIProvider/Admin
File Name:
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-FailoverClustering-WMIProvider%4Admin.evtx
Eventlogs that CAN'T be collected are for example:
Microsoft-Windows-Hyper-V-High-Availability-Admin
File name: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Hyper-V-High-Availability-Admin.evtx
Another one that fails:
Microsoft-Windows-Hyper-V-StorageVSP-Admin
File Name:
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Hyper-V-StorageVSP-Admin.evtx
Notice the difference that the first one has /Operational in it's name to mention the subchannel and uses %4 in the file name. The ones that can't be collected don't use a /Operation or /Admin for the subchannel and also don't have the %4 in their file name.
I see this changing in naming on many of our servers. Is this a windows issue naming the files differently or is this a Log Insight issue, not being able to cope with two different naming schemas?
http://www.GabesVirtualWorld.com
