Hi,
We have an auditing setup which logs in Windows event logs (Forwarded Events) as "MSSQLSERVER$AUDIT" source.
they are well displayed in event viewer console, but the log is truncated and message is empty :
![alt text][1]
here the input file on windows server :
![alt text][2]
on the other side "Microsoft Windows Security auditing" events that are in "Forwarded Events" too are correctly sent and parsed in Splunk Indexer.
how come ?
where elsewhere do I have to check ?
*Splunk UF is installed on Windows server with the Windows Events Collector*
Thanks
[1]: /storage/temp/234579-splunk.png
[2]: /storage/temp/234580-splunk2.png
↧