We are collecting events in our Supercharger platform from workstations with GPO subscriptions and its working great for all windows events we are filtering we see them all in the Eventlog viewer without issues.
Then, we use then nxlog installed on supercharger collectors to forward those filtered events to SIEM/syslog servers.
Nxlog uses eventlog API to get those events and forwards them, but only on one particular event 4688 we get an error message like this when executing the query:
2019-05-28 13:05:20 <hostname> AUDIT_SUCCESS 4688 [The description for EventID 4688 from source Microsoft-Windows-Security-Auditing cannot be found: The substitution string for insert index (%1) could not be found.
And the message is not forwarded because we drop the event when nxlog is not populating the $Message and other necessary variables to send the message in the correct format.
For any other event different than 4688 we see no issues.
Also, if we install nxlog with the same configuration directly on the worksations, we don´t have this issue, the eventlog API returns the event successfuly and nxlog populates the message and forwards it without any issue.
Have you any idea why this behavior could happen only for this particular event?
Thanks, your help will be much appreciated.