I am seeing a disturbing proportion of corrupt/malformed events in a heavily filtered view of the Windoze Security Log. The native Event Viewer chokes on them.
When looking at the XML view of the event, the event includes gibberish characters, and is preceded by the following message: *"This event is not displayed correctly because the underlying XML is not well formed. Below is the raw text of the event."* I could not establish a pattern of processes or types of events, they are all over the place, spread throughout the security event log. Anyone else seeing a similar weird behavior in Windoze 10 (or in other flavors of Windoze)? These corrupt events wreak havoc with upstream processing in NXlog and OSSEC, which pick up whatever Windoze throws at them, minus filtered events. Any way to get rid of these events at pick up time in OSSEC and NXlog, before being fed into Graylog? I have also noticed another anomaly in Event ID 4658 (Object Handle Closed). In the normal event view (double click on the event), there is an extra space between the Subject and the colon that follows it: Subject : instead of Subject: I have seen this in Windoze 7 as well. As far as I can tell, this is the only security event which involves a subject with this anomaly. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/cf435cf6-57e2-4c58-b23f-463614a8baca%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
