Symantec Event Collector for Microsoft Vista and Microsoft Windows Server 2008 missing description field

Products

Security Information Manager

Issue/Introduction

You notice that a field like description or Windows Message are missing in the event mapping

In the Symantec Security Information Manager console you can't see a description field for this event.

Cause

If you look at the XML version of this event:

Friendly View doesn't contain any description :

And the XML view doesn't have the description either:

Resolution

There is no solution to this, the issue is with the WINRM utilities that only collect the XML export of the event.

For more information go to http://msdn.microsoft.com/en-us/library/aa384426%28v=vs.85%29.aspx

The Collector Raw event matches the XML content seen in the Windows Event Viewer :

Raw Event = <?xml version="1.0" encoding="UTF-8"?>

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" Name="Microsoft-Windows-Security-Auditing"/><EventID>5140</EventID><Version>0</Version><Level>0</Level><Task>12808</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime="2010-12-16T12:53:12.415Z"/><EventRecordID>11832745</EventRecordID><Correlation/><Execution ProcessID="4" ThreadID="2232"/><Channel>Security</Channel><Computer>xen-win2k8-x64.xen-emea.ts</Computer><Security/></System><EventData><Data Name="SubjectUserSid">S-1-5-21-2908534852-3611508110-2865770924-1106</Data><Data Name="SubjectUserName">ATR-XEN-WINXP$</Data><Data Name="SubjectDomainName">XEN-EMEA</Data><Data Name="SubjectLogonId">0x1b1a91d</Data><Data Name="IpAddress">10.160.98.163</Data><Data Name="IpPort">4422</Data><Data Name="ShareName">\\*\IPC$</Data></EventData></Event>

Another example when collecting from a domain controllers. The first example of raw event, the xml view is missing the "<Message>" to "</Message>"section.

On this Windows 2008 SP2 , the xml is like this :

Raw Event = <?xml version="1.0" encoding="UTF-8"?>
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider
Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}";
Name="Microsoft-Windows-Security-Auditing"/><EventID>4769</EventID><Version>0</Version><Level>0</Level><Task>14337</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
SystemTime="2011-07-19T06:45:05.406Z"/><EventRecordID>761169</EventRecordID><Correlation/><Execution
ProcessID="600"
ThreadID="704"/><Channel>Security</Channel><Computer>WIN-91OY2QS0LT5.dolata.local</Computer><Security/></System><EventData><Data
Name="TargetUserName">[email protected]</Data><Data
Name="TargetDomainName">test.LOCAL</Data><Data
Name="ServiceName">WIN-91OY2QS0LT5$</Data><Data
Name="ServiceSid">S-1-5-21-246001316-4064295737-3156060233-1001</Data><Data
Name="TicketOptions">0x40810000</Data><Data
Name="TicketEncryptionType">0x12</Data><Data Name="IpAddress">::1</Data><Data
Name="IpPort">0</Data><Data Name="Status">0x0</Data><Data
Name="LogonGuid">{278E4B03-4EDD-F0F2-DF29-B52178980933}</Data><Data
Name="TransmittedServices">-</Data></EventData></Event>

On this Windows 2008 R2, the xml is like this :

Raw Event = <?xml version="1.0" encoding="UTF-8"?>
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider
Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}";
Name="Microsoft-Windows-Security-Auditing"/><EventID>4769</EventID><Version>0</Version><Level>0</Level><Task>14337</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated
SystemTime="2011-07-19T07:29:46.674521100Z"/><EventRecordID>17762877</EventRecordID><Correlation/><Execution
ProcessID="484"
ThreadID="2952"/><Channel>Security</Channel><Computer>PDC1.bl-services.ts</Computer><Security/></System><EventData><Data
Name="TargetUserName">[email protected]</Data><Data
Name="TargetDomainName">BL-SERVICES.TS</Data><Data
Name="ServiceName">PDC1$</Data><Data
Name="ServiceSid">S-1-5-21-528397911-2440552494-1698350525-1000</Data><Data
Name="TicketOptions">0x40810000</Data><Data
Name="TicketEncryptionType">0x12</Data><Data Name="IpAddress">::1</Data><Data
Name="IpPort">0</Data><Data Name="Status">0x0</Data><Data
Name="LogonGuid">{1155C94F-2052-0117-719C-759F4474B3CC}</Data><Data
Name="TransmittedServices">-</Data></EventData><RenderingInfo
Culture="en-US"><Message>A Kerberos service ticket was requested.

Account Information:
Account Name:  [email protected]
Account Domain:  BL-SERVICES.TS
Logon GUID:  {1155C94F-2052-0117-719C-759F4474B3CC}

Service Information:
Service Name: PDC1$
Service ID: S-1-5-21-528397911-2440552494-1698350525-1000

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x40810000
Ticket Encryption Type: 0x12
Failure Code: 0x0
Transited Services: -

This event is generated every time access is requested to a resource such as a
computer or a Windows service. The service name indicates the resource to which
access was requested.

This event can be correlated with Windows logon events by comparing the Logon
GUID fields in each event. The logon event occurs on the machine that was
accessed, which is often a different machine than the domain controller which
issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC
4120.</Message><Level>Information</Level><Task>Kerberos Service Ticket
Operations</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft
Windows security auditing.</Provider><Keywords><Keyword>Audit
Success</Keyword></Keywords></RenderingInfo></Event>

Applies To

This is typically happening for Event ID 5140: The description should be "A Network share object was accessed"