Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Member List  Search  FAQ  Ticket List  Log Out

 

Some events missing data

  		Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [Networking & Security] >> GFI EventsManager >> Some events missing data Page: [1]
Login
Message << Older Topic   Newer Topic >>
Some events missing data - 6.Aug.2009 10:52:47 AM   
mdangelo

 

Posts: 6
Score: 0
Joined: 31.Oct.2006
Status: offline 		I'm having a strange problem specifically with event 5136 (which audits AD changes in Server 2008.) Other events for Server 2008 seem to be fine, but with this one, none of the custom fields are being populated.

Compare the original XML event data 
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
  <EventID>5136</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>14081</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2009-08-06T14:08:23.199Z" /> 
  <EventRecordID>154156063</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="460" ThreadID="1748" /> 
  <Channel>Security</Channel> 
  <Computer>dc3brc.pace.edu</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="OpCorrelationID">{44008EE8-2D6E-4BD3-B543-0B2257E04723}</Data> 
  <Data Name="AppCorrelationID">-</Data> 
  <Data Name="SubjectUserSid">S-1-5-21-254494878-1253622069-3383492343-52130</Data> 
  <Data Name="SubjectUserName">mdangelo</Data> 
  <Data Name="SubjectDomainName">PACE</Data> 
  <Data Name="SubjectLogonId">0x39a619ea0</Data> 
  <Data Name="DSName">pace.edu</Data> 
  <Data Name="DSType">%%14676</Data> 
  <Data Name="ObjectDN">CN=Campion\, Marian F.,OU=Retiree Benefits Costs,OU=Retiree Benefits Costs,OU=University Benefits,OU=Total University,OU=People,DC=pace,DC=edu</Data> 
  <Data Name="ObjectGUID">{BA5EF6B0-6C22-4CB9-82CA-AC5B5427EAC8}</Data> 
  <Data Name="ObjectClass">user</Data> 
  <Data Name="AttributeLDAPDisplayName">cn</Data> 
  <Data Name="AttributeSyntaxOID">2.5.5.12</Data> 
  <Data Name="AttributeValue">Campion McDermott, Marian F.</Data> 
  <Data Name="OperationType">%%14674</Data> 
  </EventData>
  </Event>


With the one stored in GFI Events Manager 
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
  <EventID Qualifiers="">5136</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>14081</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="08/06/09 10:08:23" /> 
  <EventRecordID>154156053</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="460" ThreadID="1748" /> 
  <Channel>Security</Channel> 
  <Computer>dc3brc.pace.edu</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="OpCorrelationID">%1</Data> 
  <Data Name="AppCorrelationID">%2</Data> 
  <Data Name="SubjectUserSid">%3</Data> 
  <Data Name="SubjectUserName">%4</Data> 
  <Data Name="SubjectDomainName">%5</Data> 
  <Data Name="SubjectLogonId">%6</Data> 
  <Data Name="DSName">%7</Data> 
  <Data Name="DSType">%8</Data> 
  <Data Name="ObjectDN">%9</Data> 
  <Data Name="ObjectGUID">%10</Data> 
  <Data Name="ObjectClass">%11</Data> 
  <Data Name="AttributeLDAPDisplayName">%12</Data> 
  <Data Name="AttributeSyntaxOID">%13</Data> 
  <Data Name="AttributeValue">%14</Data> 
  <Data Name="OperationType">%15</Data> 
  </EventData>
  </Event>
Post #: 1
RE: Some events missing data - 10.Aug.2009 3:12:19 PM   
DrewE

 

Posts: 1058
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline 		What build of GFI EventsManager are you using?

_____________________________

Drew Easley - Technical Support Representative
GFI Software - www.gfi.com

(in reply to mdangelo)
Post #: 2
RE: Some events missing data - 10.Aug.2009 3:14:17 PM   
mdangelo

 

Posts: 6
Score: 0
Joined: 31.Oct.2006
Status: offline 		Build 20090302, which it says is the latest. I have been running version 8 since it originally came out, so it has been upgraded a number of times.

(in reply to DrewE)
Post #: 3
RE: Some events missing data - 21.Aug.2009 8:45:41 AM   
marcink137

 

Posts: 1
Score: 0
Joined: 21.Aug.2009
Status: offline 		Hi Mdangelo, I have similar problem with EventsManager which does not save all fields from Windows 2008 events to database. I confirmed this issue to support few weeks ago, but still there is no solution. I figured out this, collecting events from Windows 2008 domain controller - for instance event 4625 which corresponds to account logon problems, have two very useful fields - Status and Substatus. They are very helpful to create event processing rules. But EventsManager shows these fields as empty, so rules are not working. I hope some patch will be released soon :(

Regards
M

(in reply to mdangelo)
Post #: 4
Page:   [1]
All Forums >> [Networking & Security] >> GFI EventsManager >> Some events missing data Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts