Windows Event Log Monitor -- Message Details

What is the polling/fetching method being used for this component monitor, WMI or RPC?

The polling method is set to WMI. I checked again this morning, seems to be mixed results now, some events bring in the details, some don't. I went ahead and did a WMI query on the events that didn't return a message. Turns out they don't have that field populated even though they have text when viewing the event via the Event Viewer. However, using the powershell method, Get-EventLog, the message field is brought back successfully. I am wondering if this is a limitation of WMI or how the event is written to the Event Log.

It may very well be some kind of strange limitation we're not familiar with What operating system version is this monitored host running? Also, have you tried changing the fetching method to RPC to see if that resolves the issue?

Server 2008 R2. I have tried RPC as well, same results.

I'm not aware of any reason why the message details would not be appearing when using WMI. There is a known limitation with RPC and Windows 2003 and earlier operating systems, but that doesn't apply in this circumstance. Have you verified that these events in the Windows Event Log of the server do contain text? Sometimes windows events have no message details are therefore they would appear as you see it in your screenshots above. If these events truly do have full message details then I would encourage you to open a case with support so we can troubleshoot this issue further.

I played with this a little bit more by creating some test error event log entries with the powershell command Write-EventLog. I think I see what is going on. All of these events have something similar to "The description for Event ID 3001 from source Application cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer."

However using the Windows Event Viewer they still include the text for the message. Such as the test message I created below.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Test Message

the message resource is present but the message is not found in the string/message table

What is interesting is the powershell function Get-EventLog still brings this text back in the results.

Are the events you're looking to monitor for with SAM generated natively by the Windows operating system, or from 3rd party application? If you open the native Windows Event Viewer on the Orion server itself and connect to the remote host, do you see the full message details or just the message "The description for Event ID XXXX from source Application cannot be found"?

These events for instance where generated from Microsoft IIS. The full event details does show up when connecting remotely with the Windows Event Viewer from the orion server.

If that's the case then I would recommend opening a case with support so we can troubleshoot this issue further.