NetWitness Community

MaximilianoCitt · ‎2020-08-04

Hi community, I have a customer who recently deployed Netwitness 11.4.1 and he is retrieving windows events using WinRM. Almost all events were retrieved just fine except those within the System Channel with ID 7036. The raw of the event is as follows:

%NICWIN-4-System_7036_Service Control Manager: System,rn=4845808 cid=2104 eid=716,Thu Jul 30 14:50:16 2020,7036,Service Control Manager,,,host.domain.net,0,,

This kind of event, obviously isn’t correctly parsed causing the existence of the "word" meta key.

Maybe we are missing something on the windows server side, but I don't know how to pinpoint this issue

regards,

Max

AaronMartin2 · ‎2020-08-04

Max, this may be a shot in the dark but I believe I have had this truncation problem when "Render Events" was not checked in the UI on the NetWitness side. If you need to check it, restart the Windows log collection.

MaximilianoCitt · ‎2020-08-04

Thank you Aaron, I will give it a try. I will let you know the results.

MaximilianoCitt · ‎2020-08-04

Aaron, I have checked that with my customer and already has that check enable...One thing to keep in mind: this is the only type of events that seems to be incomplete.

TonyCastaneda · ‎2022-04-06

Had it happen on multiple events.

Render event was already checked. I ended up disabling and enabling Render events and that fixed the issue.

NetWitness Community

WinRM - Incomplete events with System Channel on ID 7036