Guys, I'm running the log forwarder on my Windows 2008 SP2 (not R2) domain controllers and subscribing to many events that I forward to my Kiwi Syslogger running on Windows 2012 R2. From there I have custom view to group various message for support/troubleshooting etc. Problem is, the raw syslog message always contains this test:
The description for Event ID <eventid> from source <event channel> cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.The following information was included with the event: 10.112.64.20:23122. FormatMessage failed with error 15100, The resource loader failed to find MUI file.
This is a problem as i don't want that text in the syslog. You would normally see this type of message when browsing event viewer messages form a different OS but since the forwarder is running on the DC under the local system account, surely it should be able to decoded the message before translating it into a syslog?
I contacted support and it's a known bug in 1.2. Dev are working on it. I was instructed to use version 1.1.19 which worked fine for me on 2008/2008R2/2012 R2 ;P)