Not receiving all Windows Event Log Streams

Answered

Robert Slattery

• June 14, 2018 16:41

I have a Windows logging host with the AL agent installed.  It is sending event log streams from Application, Security and System.  The Windows Event Log policy has the "Collect All Streams" option enabled.  However, I am not receiving any other streams than the big 3.  Support has provided some documentation about changing the local audit policy but I cannot see how that would help.

Has anyone else had any issues getting all Windows Event Log Streams to the AL agent?

 

Sincere thanks!

Bob

Yes 1 No

• Official comment

  

  Paul Le Page

  • June 19, 2018 13:50

  Hi Bob,

  I can see you have a ticket raised with support for this issue - I think progressing that will be the best way to get your query resolved.

  If you have configured all streams to be collected, that is what should be happening. However it is possible we do not have parsers for the particular messages that you are interested in. You can view unparsed messages in the log search interface by setting "Message Type" to "Does Not Exist." You can still perform full text search on the unparsed messages, eg. "Message" contains "DHCP"

  If parsers are required for your specific use case, you can request parser creation by our content team via support - they will send you a form to complete. There is no charge for this service - you can find out more about requesting parsers in the knowledge base here: https://support.alertlogic.com/hc/en-us/articles/115000391187-How-can-I-request-for-my-logs-to-be-parsed-

   
• 

  Abby Kincer

  • June 19, 2018 13:19
  • Edited

  Bob -

  Looks like the community didn’t have much in the way of advice for you on this, so I’m going to pull in some experts to see if they can help!

  Yes 0 No

Please sign in to leave a comment.